diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-a-scheduled-task-was-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-a-scheduled-task-was-created.asciidoc new file mode 100644 index 0000000000..daee260ea5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-a-scheduled-task-was-created.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-11-7-a-scheduled-task-was-created]] +=== A scheduled task was created + +Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +iam where event.action == "scheduled-task-created" and + + /* excluding tasks created by the computer account */ + not user.name : "*$" and + + /* TaskContent is not parsed, exclude by full taskname noisy ones */ + not winlog.event_data.TaskName : ( + "\\CreateExplorerShellUnelevatedTask", + "\\Hewlett-Packard\\HPDeviceCheck", + "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker", + "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker_backup", + "\\Hewlett-Packard\\HP Web Products Detection", + "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload", + "\\OneDrive Standalone Update Task-S-1-5-21*", + "\\OneDrive Standalone Update Task-S-1-12-1-*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-abnormal-process-id-or-lock-file-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-abnormal-process-id-or-lock-file-created.asciidoc new file mode 100644 index 0000000000..7e4a8f55dd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-abnormal-process-id-or-lock-file-created.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-8-11-7-abnormal-process-id-or-lock-file-created]] +=== Abnormal Process ID or Lock File Created + +Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/ +* https://twitter.com/GossiTheDog/status/1522964028284411907 +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf +* https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Threat: BPFDoor +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 212 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Abnormal Process ID or Lock File Created + +Linux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value. + +Linux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented. + +This rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files. + +#### Possible investigation steps + +- Retrieve the file and determine if it is malicious: + - Check the contents of the PID files. They should only contain integer strings. + - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files. + - Check the size of the subject file. Legitimate PID files should be under 10 bytes. + - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload. + - Analysts can use tools like `ent` to measure entropy. + - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation. +- Trace the file's creation to ensure it came from a legitimate or authorized process. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. + +### False positive analysis + +- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious. +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file name and process executable conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Block the identified indicators of compromise (IoCs). +- Take actions to terminate processes and connections used by the attacker. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:file and event.action:creation and +user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and ( + (process.name : ( + bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp) + ) or ( + process.executable : ( + ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/* + )) +) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or +vzctl or ifup or rpcbind) and +not file.name : (jem.*.pid) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-account-discovery-command-via-system-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-account-discovery-command-via-system-account.asciidoc new file mode 100644 index 0000000000..75c294ed44 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-account-discovery-command-via-system-account.asciidoc @@ -0,0 +1,120 @@ +[[prebuilt-rule-8-11-7-account-discovery-command-via-system-account]] +=== Account Discovery Command via SYSTEM Account + +Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Account Discovery Command via SYSTEM Account + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. + +This rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +- Use the data collected through the analysis to investigate other machines affected in the environment. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (?process.Ext.token.integrity_level_name : "System" or + ?winlog.event_data.IntegrityLevel : "System") and + ( + process.name : "whoami.exe" or + ( + process.name : "net1.exe" and not process.parent.name : "net.exe" and not process.args : ("start", "stop", "/active:*") + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Owner/User Discovery +** ID: T1033 +** Reference URL: https://attack.mitre.org/techniques/T1033/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-adding-hidden-file-attribute-via-attrib.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-adding-hidden-file-attribute-via-attrib.asciidoc new file mode 100644 index 0000000000..2e7b891b52 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-adding-hidden-file-attribute-via-attrib.asciidoc @@ -0,0 +1,144 @@ +[[prebuilt-rule-8-11-7-adding-hidden-file-attribute-via-attrib]] +=== Adding Hidden File Attribute via Attrib + +Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Adding Hidden File Attribute via Attrib + +The `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. + +Attackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it. + +This rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to identify the target file or folder. + - Examine the file, which process created it, header, etc. + - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Examine the host for derived artifacts that indicate suspicious activities: + - Observe and collect information about the following activities in the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "attrib.exe" or ?process.pe.original_file_name == "ATTRIB.EXE") and process.args : "+h" and + not (process.parent.name: "cmd.exe" and process.command_line: "attrib +R +H +S +A *.cui") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ +* Sub-technique: +** Name: Windows File and Directory Permissions Modification +** ID: T1222.001 +** Reference URL: https://attack.mitre.org/techniques/T1222/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-adfind-command-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-adfind-command-activity.asciidoc new file mode 100644 index 0000000000..03828248f3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-adfind-command-activity.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-8-11-7-adfind-command-activity]] +=== AdFind Command Activity + +This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://www.joeware.net/freetools/tools/adfind/ +* https://thedfirreport.com/2020/05/08/adfind-recon/ +* https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html +* https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware +* https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html +* https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AdFind Command Activity + +[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Examine the command line to determine what information was retrieved by the tool. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling. + +### Related rules + +- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1 +- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d +- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "AdFind.exe" or ?process.pe.original_file_name == "AdFind.exe") and + process.args : ("objectcategory=computer", "(objectcategory=computer)", + "objectcategory=person", "(objectcategory=person)", + "objectcategory=subnet", "(objectcategory=subnet)", + "objectcategory=group", "(objectcategory=group)", + "objectcategory=organizationalunit", "(objectcategory=organizationalunit)", + "objectcategory=attributeschema", "(objectcategory=attributeschema)", + "domainlist", "dcmodes", "adinfo", "dclist", "computers_pwnotreqd", "trustdmp") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Domain Groups +** ID: T1069.002 +** Reference URL: https://attack.mitre.org/techniques/T1069/002/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Domain Account +** ID: T1087.002 +** Reference URL: https://attack.mitre.org/techniques/T1087/002/ +* Technique: +** Name: Domain Trust Discovery +** ID: T1482 +** Reference URL: https://attack.mitre.org/techniques/T1482/ +* Technique: +** Name: System Network Configuration Discovery +** ID: T1016 +** Reference URL: https://attack.mitre.org/techniques/T1016/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-adversary-behavior-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-adversary-behavior-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..8d20ed38f5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-adversary-behavior-detected-elastic-endgame.asciidoc @@ -0,0 +1,44 @@ +[[prebuilt-rule-8-11-7-adversary-behavior-detected-elastic-endgame]] +=== Adversary Behavior - Detected - Elastic Endgame + +Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-attempt-to-install-kali-linux-via-wsl.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-attempt-to-install-kali-linux-via-wsl.asciidoc new file mode 100644 index 0000000000..9b9cb61245 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-attempt-to-install-kali-linux-via-wsl.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-11-7-attempt-to-install-kali-linux-via-wsl]] +=== Attempt to Install Kali Linux via WSL + +Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/windows/wsl/wsl-config + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + (process.name : "wsl.exe" and process.args : ("-d", "--distribution", "-i", "--install") and process.args : "kali*") or + process.executable : + ("?:\\Users\\*\\AppData\\Local\\packages\\kalilinux*", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\WindowsApps\\kali.exe", + "?:\\Program Files*\\WindowsApps\\KaliLinux.*\\kali.exe") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indirect Command Execution +** ID: T1202 +** Reference URL: https://attack.mitre.org/techniques/T1202/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-attempts-to-brute-force-a-microsoft-365-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-attempts-to-brute-force-a-microsoft-365-user-account.asciidoc new file mode 100644 index 0000000000..e0324f18a1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-attempts-to-brute-force-a-microsoft-365-user-account.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-11-7-attempts-to-brute-force-a-microsoft-365-user-account]] +=== Attempts to Brute Force a Microsoft 365 User Account + +Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem + +*Tags*: + +* Domain: Cloud +* Data Source: Microsoft 365 +* Use Case: Identity and Access Audit +* Tactic: Credential Access + +*Version*: 103 + +*Rule authors*: + +* Elastic +* Willem D'Haese +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and + event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and + not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or + UserStrongAuthClientAuthNRequired or InvalidReplyTo) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-attempts-to-brute-force-an-okta-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-attempts-to-brute-force-an-okta-user-account.asciidoc new file mode 100644 index 0000000000..92bc618d46 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-attempts-to-brute-force-an-okta-user-account.asciidoc @@ -0,0 +1,104 @@ +[[prebuilt-rule-8-11-7-attempts-to-brute-force-an-okta-user-account]] +=== Attempts to Brute Force an Okta User Account + +Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-180m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy + +*Tags*: + +* Use Case: Identity and Access Audit +* Tactic: Credential Access +* Data Source: Okta + +*Version*: 208 + +*Rule authors*: + +* Elastic +* @BenB196 +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Attempts to Brute Force an Okta User Account + +Brute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted. + +This rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts. + +#### Possible investigation steps: + +- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted. +- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout. +- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events. +- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack. +- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious. +- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity. +- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field. + +### False positive analysis: + +- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout. +- Ensure there are no known network or application issues that might cause these events. + +### Response and remediation: + +- Alert the user and your IT department immediately. +- If unauthorized access is confirmed, initiate your incident response process. +- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue. +- Require the affected user to change their password. +- If the attack is ongoing, consider blocking the IP address initiating the brute force attack. +- Implement account lockout policies to limit the impact of brute force attacks. +- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication. +- Check if the compromised account was used to access or alter any sensitive data or systems. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.action:user.account.lock + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-aws-iam-brute-force-of-assume-role-policy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-aws-iam-brute-force-of-assume-role-policy.asciidoc new file mode 100644 index 0000000000..1c5d0061ac --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-aws-iam-brute-force-of-assume-role-policy.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-11-7-aws-iam-brute-force-of-assume-role-policy]] +=== AWS IAM Brute Force of Assume Role Policy + +Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities +* https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Use Case: Identity and Access Audit +* Resources: Investigation Guide +* Tactic: Credential Access + +*Version*: 209 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AWS IAM Brute Force of Assume Role Policy + +An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. + +Attackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute force attack. +- Verify if the user account successfully updated a trust policy in the last 24 hours. +- Examine whether this role existed in the environment by looking for past occurrences in your logs. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day? +- Examine the account's commands, API calls, and data management actions in the last 24 hours. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. + +### False positive analysis + +- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment. If only one role was targeted in the requests and that role previously existed, it may be a false positive, since automations can continue targeting roles that existed in the environment in the past and cause false positives (FPs). + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and + event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and + aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-aws-management-console-brute-force-of-root-user-identity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-aws-management-console-brute-force-of-root-user-identity.asciidoc new file mode 100644 index 0000000000..06e8f8c4f5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-aws-management-console-brute-force-of-root-user-identity.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-11-7-aws-management-console-brute-force-of-root-user-identity]] +=== AWS Management Console Brute Force of Root User Identity + +Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-aws* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Use Case: Identity and Access Audit +* Tactic: Credential Access + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-binary-executed-from-shared-memory-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-binary-executed-from-shared-memory-directory.asciidoc new file mode 100644 index 0000000000..34813ab036 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-binary-executed-from-shared-memory-directory.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-7-binary-executed-from-shared-memory-directory]] +=== Binary Executed from Shared Memory Directory + +Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://linuxsecurity.com/features/fileless-malware-on-linux +* https://twitter.com/GossiTheDog/status/1522964028284411907 +* https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Threat: BPFDoor +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +user.id == "0" and process.executable : ("/dev/shm/*", "/run/shm/*", "/var/run/*", "/var/lock/*") and +not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/*", "/var/run/cloudera-scm-agent/*", +"/var/run/argo/argoexec") and not process.parent.command_line : "/usr/bin/runc init" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-bypass-uac-via-event-viewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-bypass-uac-via-event-viewer.asciidoc new file mode 100644 index 0000000000..6b24345d63 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-bypass-uac-via-event-viewer.asciidoc @@ -0,0 +1,150 @@ +[[prebuilt-rule-8-11-7-bypass-uac-via-event-viewer]] +=== Bypass UAC via Event Viewer + +Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Bypass UAC via Event Viewer + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). + +During startup, `eventvwr.exe` checks the registry value of the `HKCU\Software\Classes\mscfile\shell\open\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "eventvwr.exe" and + not process.executable : + ("?:\\Windows\\SysWOW64\\mmc.exe", + "?:\\Windows\\System32\\mmc.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Windows\\System32\\WerFault.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-chkconfig-service-add.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-chkconfig-service-add.asciidoc new file mode 100644 index 0000000000..bbf0f4efe8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-chkconfig-service-add.asciidoc @@ -0,0 +1,156 @@ +[[prebuilt-rule-8-11-7-chkconfig-service-add]] +=== Chkconfig Service Add + +Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Lightning Framework +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Chkconfig Service Add +Service files are configuration files in Linux systems used to define and manage system services. The `Chkconfig` binary can be used to manually add, delete or modify a service. + +Malicious actors can leverage services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. + +This rule monitors the usage of the `chkconfig` binary to manually add a service for management by `chkconfig`, potentially indicating the creation of a persistence mechanism. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the service that was created or modified. +- Investigate the currently enabled system services through the following commands `sudo chkconfig --list | grep on` and `sudo systemctl list-unit-files`. +- Investigate the status of potentially suspicious services through the `chkconfig --list service_name` command. +- Search for the `rc.d` or `init.d` service files that were created or modified, and analyze their contents. +- Investigate whether any other files in any of the available `rc.d` or `init.d` directories have been altered through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses the `chkconfig` binary for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Related Rules + +- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042 +- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f +- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b +- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c +- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +( + (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or + (process.args : "*chkconfig" and process.args : "--add") +) and +not process.parent.name in ("rpm", "qualys-scan-util", "qualys-cloud-agent", "update-alternatives") and +not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-clearing-windows-console-history.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-clearing-windows-console-history.asciidoc new file mode 100644 index 0000000000..968b1e5a7e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-clearing-windows-console-history.asciidoc @@ -0,0 +1,129 @@ +[[prebuilt-rule-8-11-7-clearing-windows-console-history]] +=== Clearing Windows Console History + +Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/ +* https://www.shellhacks.com/clear-history-powershell/ +* https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Clearing Windows Console History + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name == "PowerShell.EXE") and + (process.args : "*Clear-History*" or + (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or + (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Command History +** ID: T1070.003 +** Reference URL: https://attack.mitre.org/techniques/T1070/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-clearing-windows-event-logs.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-clearing-windows-event-logs.asciidoc new file mode 100644 index 0000000000..f8849d7e50 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-clearing-windows-event-logs.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-11-7-clearing-windows-event-logs]] +=== Clearing Windows Event Logs + +Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Clearing Windows Event Logs + +Windows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response. + +This rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action. +- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. + - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + ( + (process.name : "wevtutil.exe" or ?process.pe.original_file_name == "wevtutil.exe") and + process.args : ("/e:false", "cl", "clear-log") + ) or + ( + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + process.args : "Clear-EventLog" + ) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Windows Event Logs +** ID: T1070.001 +** Reference URL: https://attack.mitre.org/techniques/T1070/001/ +* Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-code-signing-policy-modification-through-built-in-tools.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-code-signing-policy-modification-through-built-in-tools.asciidoc new file mode 100644 index 0000000000..dce1484175 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-code-signing-policy-modification-through-built-in-tools.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-8-11-7-code-signing-policy-modification-through-built-in-tools]] +=== Code Signing Policy Modification Through Built-in tools + +Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Code Signing Policy Modification Through Built-in tools + +Windows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded. + +This protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system. + +This rule identifies commands that can disable the Driver Signature Enforcement feature. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Use Osquery and endpoint driver events (`event.category = "driver"`) to investigate if suspicious drivers were loaded into the system after the command was executed. + - !{osquery{"label":"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \"Microsoft\" AND signed == \"1\")\n"}} + - !{osquery{"label":"Osquery - Retrieve All Unsigned Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \"0\"\n"}} +- Identify the driver's `Device Name` and `Service Name`. +- Check for alerts from the rules specified in the `Related Rules` section. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. + +### Related Rules + +- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9 +- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa +- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.) +- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed. + - This can be done via PowerShell `Remove-Service` cmdlet. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Remove and block malicious artifacts identified during triage. +- Ensure that the Driver Signature Enforcement is enabled on the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name: "bcdedit.exe" or ?process.pe.original_file_name == "bcdedit.exe") and process.args: ("-set", "/set") and + process.args: ("TESTSIGNING", "nointegritychecks", "loadoptions", "DISABLE_INTEGRITY_CHECKS") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Subvert Trust Controls +** ID: T1553 +** Reference URL: https://attack.mitre.org/techniques/T1553/ +* Sub-technique: +** Name: Code Signing Policy Modification +** ID: T1553.006 +** Reference URL: https://attack.mitre.org/techniques/T1553/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-command-execution-via-solarwinds-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-command-execution-via-solarwinds-process.asciidoc new file mode 100644 index 0000000000..5425c01467 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-command-execution-via-solarwinds-process.asciidoc @@ -0,0 +1,96 @@ +[[prebuilt-rule-8-11-7-command-execution-via-solarwinds-process]] +=== Command Execution via SolarWinds Process + +A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html +* https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Initial Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and +process.parent.name: ( + "ConfigurationWizard*.exe", + "NetflowDatabaseMaintenance*.exe", + "NetFlowService*.exe", + "SolarWinds.Administration*.exe", + "SolarWinds.Collector.Service*.exe", + "SolarwindsDiagnostics*.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Supply Chain Compromise +** ID: T1195 +** Reference URL: https://attack.mitre.org/techniques/T1195/ +* Sub-technique: +** Name: Compromise Software Supply Chain +** ID: T1195.002 +** Reference URL: https://attack.mitre.org/techniques/T1195/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-command-prompt-network-connection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-command-prompt-network-connection.asciidoc new file mode 100644 index 0000000000..b329f61d83 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-command-prompt-network-connection.asciidoc @@ -0,0 +1,144 @@ +[[prebuilt-rule-8-11-7-command-prompt-network-connection]] +=== Command Prompt Network Connection + +Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Command Prompt Network Connection + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files. + +This rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. + - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware. +- Investigate the target host that the signed binary is communicating with. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. +- Examine if any file was downloaded and check if it is an executable or script. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the downloaded file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and file name conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where host.os.type == "windows" and process.name : "cmd.exe" and event.type == "start"] + [network where host.os.type == "windows" and process.name : "cmd.exe" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", + "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", + "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8") and + not dns.question.name : ( + "wpad", "localhost", "ocsp.comodoca.com", "ocsp.digicert.com", "ocsp.sectigo.com", "crl.comodoca.com" + )] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-component-object-model-hijacking.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-component-object-model-hijacking.asciidoc new file mode 100644 index 0000000000..3441717dd5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-component-object-model-hijacking.asciidoc @@ -0,0 +1,250 @@ +[[prebuilt-rule-8-11-7-component-object-model-hijacking]] +=== Component Object Model Hijacking + +Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Component Object Model Hijacking + +Adversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the file referenced in the registry and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + /* not necessary but good for filtering privileged installations */ + user.domain != "NT AUTHORITY" and + ( + ( + registry.path : "HK*\\InprocServer32\\" and + registry.data.strings: ("scrobj.dll", "?:\\*\\scrobj.dll") and + not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*" + ) or + + ( + registry.path : "HKLM\\*\\InProcServer32\\*" and + registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*") + ) or + + /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ + ( + registry.path : ( + "HKEY_USERS\\*\\InprocServer32\\", + "HKEY_USERS\\*\\LocalServer32\\", + "HKEY_USERS\\*\\DelegateExecute", + "HKEY_USERS\\*\\TreatAs\\", + "HKEY_USERS\\*\\ScriptletURL*" + ) and + not + ( + ( + process.name : "svchost.exe" and + process.code_signature.trusted == true and process.code_signature.subject_name == "Microsoft Windows Publisher" and + registry.value : "DelegateExecute" and + registry.data.strings : ( + /* https://strontic.github.io/xcyclopedia/library/clsid_4ED3A719-CEA8-4BD9-910D-E252F997AFC2.html */ + "{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}", + + /* https://strontic.github.io/xcyclopedia/library/clsid_A56A841F-E974-45C1-8001-7E3F8A085917.html */ + "{A56A841F-E974-45C1-8001-7E3F8A085917}", + + /* https://strontic.github.io/xcyclopedia/library/clsid_BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78.html */ + "{BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78}", + "%SystemRoot%\\system32\\shdocvw.dll" + ) + ) or + ( + process.name : "veeam.backup.shell.exe" and + registry.path : "HKEY_USERS\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\" and + process.code_signature.trusted == true and process.code_signature.subject_name == "Veeam Software Group GmbH" + ) or + ( + process.name : ("ADNotificationManager.exe", "Creative Cloud.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name == "Adobe Inc." and + registry.data.strings : ( + "\"?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\ADNotificationManager.exe\" -ToastActivated", + "\"?:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\ADNotificationManager.exe\" -ToastActivated", + "\"?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\ADNotificationManager.exe\" -ToastActivated", + "\"?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\ADNotificationManager.exe\" -ToastActivated", + "\"?:\\Program Files\\Adobe\\Adobe Creative Cloud\\ACC\\Creative Cloud.exe\" -ToastActivated" + ) + ) or + ( + process.name : ("IslandUpdateComRegisterShell64.exe", "IslandUpdate.exe", "GoogleUpdateComRegisterShell64.exe") and + process.code_signature.trusted == true and + process.code_signature.subject_name in ("Island Technology Inc.", "Google LLC") and + registry.data.strings : ( + "*?:\\Users\\*\\AppData\\Local\\Island\\Update\\*", + "*?:\\Users\\*\\AppData\\Local\\Google\\Update\\*" + ) + ) or + ( + process.name : ("SelfService.exe", "WfShell.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name == "Citrix Systems, Inc." and + registry.data.strings : ( + "\"?:\\Program Files (x86)\\Citrix\\ICA Client\\SelfServicePlugin\\SelfService.exe\" -ToastActivated", + "%SystemRoot%\\system32\\shdocvw.dll", + "%SystemRoot%\\sysWOW64\\shdocvw.dll" + ) + ) or + ( + process.name : ("msrdcw.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name == "Microsoft Corporation" and + registry.data.strings : ( + "\"?:\\Program Files\\Remote Desktop\\msrdcw.exe\" -ToastActivated", + "\"?:\\Users\\*\\AppData\\Local\\Apps\\Remote Desktop\\msrdcw.exe\" -ToastActivated" + ) + ) or + ( + process.name : ("ssvagent.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name == "Oracle America, Inc." and + registry.data.strings : ( + "?:\\Program Files\\Java\\jre*\\bin\\jp2iexp.dll", + "?:\\Program Files (x86)\\Java\\jre*\\bin\\jp2iexp.dll" + ) + ) or + ( + process.name : ("hpnotifications.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name == "HP Inc." and + registry.data.strings : ( + "\"?:\\Windows\\System32\\DriverStore\\FileRepository\\hpsvcsscancomp.inf_amd64_*\\x64\\hpnotifications.exe\" -ToastActivated" + ) + ) + ) + ) + ) and + + /* removes false-positives generated by OneDrive and Teams */ + not + ( + process.name: ("OneDrive.exe", "OneDriveSetup.exe", "FileSyncConfig.exe", "Teams.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name in ("Microsoft Windows", "Microsoft Corporation") + ) and + + /* Teams DLL loaded by regsvr */ + not (process.name: "regsvr32.exe" and registry.data.strings : "*Microsoft.Teams.*.dll") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-control-panel-process-with-unusual-arguments.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-control-panel-process-with-unusual-arguments.asciidoc new file mode 100644 index 0000000000..d429a1aa78 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-control-panel-process-with-unusual-arguments.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-11-7-control-panel-process-with-unusual-arguments]] +=== Control Panel Process with Unusual Arguments + +Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.joesandbox.com/analysis/476188/1/html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.executable : ("?:\\Windows\\SysWOW64\\control.exe", "?:\\Windows\\System32\\control.exe") and + process.command_line : + ("*.jpg*", + "*.png*", + "*.gif*", + "*.bmp*", + "*.jpeg*", + "*.TIFF*", + "*.inf*", + "*.cpl:*/*", + "*../../..*", + "*/AppData/Local/*", + "*:\\Users\\Public\\*", + "*\\AppData\\Local\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Control Panel +** ID: T1218.002 +** Reference URL: https://attack.mitre.org/techniques/T1218/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-creation-of-hidden-files-and-directories-via-commandline.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-creation-of-hidden-files-and-directories-via-commandline.asciidoc new file mode 100644 index 0000000000..56ab5544c4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-creation-of-hidden-files-and-directories-via-commandline.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-11-7-creation-of-hidden-files-and-directories-via-commandline]] +=== Creation of Hidden Files and Directories via CommandLine + +Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and +process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and +not process.name in ("ls", "find", "grep", "git", "jq", "basename") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-acquisition-via-registry-hive-dumping.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-acquisition-via-registry-hive-dumping.asciidoc new file mode 100644 index 0000000000..483bbaa079 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-acquisition-via-registry-hive-dumping.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-8-11-7-credential-acquisition-via-registry-hive-dumping]] +=== Credential Acquisition via Registry Hive Dumping + +Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8 +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Credential Acquisition via Registry Hive Dumping + +Dumping registry hives is a common way to access credential information as some hives store credential material. + +For example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets). + +Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets. + +This rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate if the credential material was exfiltrated or processed locally by other tools. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host. + +### False positive analysis + +- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity. + +### Related rules + +- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system and restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (?process.pe.original_file_name == "reg.exe" or process.name : "reg.exe") and + process.args : ("save", "export") and + process.args : ("hklm\\sam", "hklm\\security") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: LSA Secrets +** ID: T1003.004 +** Reference URL: https://attack.mitre.org/techniques/T1003/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-dumping-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-dumping-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..557a147750 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-dumping-detected-elastic-endgame.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-11-7-credential-dumping-detected-elastic-endgame]] +=== Credential Dumping - Detected - Elastic Endgame + +Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-dumping-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-dumping-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..e35007de76 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-dumping-prevented-elastic-endgame.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-11-7-credential-dumping-prevented-elastic-endgame]] +=== Credential Dumping - Prevented - Elastic Endgame + +Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-manipulation-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-manipulation-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..f9f689cde6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-manipulation-detected-elastic-endgame.asciidoc @@ -0,0 +1,57 @@ +[[prebuilt-rule-8-11-7-credential-manipulation-detected-elastic-endgame]] +=== Credential Manipulation - Detected - Elastic Endgame + +Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-manipulation-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-manipulation-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..1f86000804 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-credential-manipulation-prevented-elastic-endgame.asciidoc @@ -0,0 +1,57 @@ +[[prebuilt-rule-8-11-7-credential-manipulation-prevented-elastic-endgame]] +=== Credential Manipulation - Prevented - Elastic Endgame + +Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-cron-job-created-or-changed-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-cron-job-created-or-changed-by-previously-unknown-process.asciidoc new file mode 100644 index 0000000000..854f0b969e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-cron-job-created-or-changed-by-previously-unknown-process.asciidoc @@ -0,0 +1,179 @@ +[[prebuilt-rule-8-11-7-cron-job-created-or-changed-by-previously-unknown-process]] +=== Cron Job Created or Changed by Previously Unknown Process + +Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Cron Job Created or Changed by Previously Unknown Process +Linux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. + +By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. + +This rule monitors the creation of previously unknown cron jobs by monitoring for file creation events in the most common cron job task location directories. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the cron job file that was created or modified. +- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (\n path LIKE '/etc/cron.allow.d/%' OR\n path LIKE '/etc/cron.d/%' OR\n path LIKE '/etc/cron.hourly/%' OR\n path LIKE '/etc/cron.daily/%' OR\n path LIKE '/etc/cron.weekly/%' OR\n path LIKE '/etc/cron.monthly/%'\n)\n"}} + - !{osquery{"label":"Osquery - Retrieve rc-local.service File Information","query":"SELECT * FROM file WHERE (\n path = '/etc/cron.allow' OR\n path = '/etc/cron.deny' OR\n path = '/etc/crontab' OR\n path = '/usr/sbin/cron' OR\n path = '/usr/sbin/anacron'\n)\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (\n path LIKE '/etc/cron.allow.d/%' OR\n path LIKE '/etc/cron.d/%' OR\n path LIKE '/etc/cron.hourly/%' OR\n path LIKE '/etc/cron.daily/%' OR\n path LIKE '/etc/cron.weekly/%' OR\n path LIKE '/etc/cron.monthly/%'\n)\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Related Rules + +- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042 +- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f +- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b +- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c +- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and +file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or +/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) +and not ( + (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "podman" or + "dnf-automatic")) or + (file.extension : ("swp" or "swpx")) or + (process.name : "sed" and file.name : sed*) or + (process.name : "perl" and file.name : e2scrub_all.tmp*) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-delete-volume-usn-journal-with-fsutil.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-delete-volume-usn-journal-with-fsutil.asciidoc new file mode 100644 index 0000000000..246ae41057 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-delete-volume-usn-journal-with-fsutil.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-8-11-7-delete-volume-usn-journal-with-fsutil]] +=== Delete Volume USN Journal with Fsutil + +Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Delete Volume USN Journal with Fsutil + +The Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication. + +This artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it. + +Consider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "fsutil.exe" or ?process.pe.original_file_name == "fsutil.exe") and + process.args : "deletejournal" and process.args : "usn" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: File Deletion +** ID: T1070.004 +** Reference URL: https://attack.mitre.org/techniques/T1070/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-deleting-backup-catalogs-with-wbadmin.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-deleting-backup-catalogs-with-wbadmin.asciidoc new file mode 100644 index 0000000000..bcd3b6cda3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-deleting-backup-catalogs-with-wbadmin.asciidoc @@ -0,0 +1,118 @@ +[[prebuilt-rule-8-11-7-deleting-backup-catalogs-with-wbadmin]] +=== Deleting Backup Catalogs with Wbadmin + +Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Deleting Backup Catalogs with Wbadmin + +Windows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks. + +This rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check if any files on the host machine have been encrypted. + +### False positive analysis + +- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate. + +### Related rules + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "wbadmin.exe" or ?process.pe.original_file_name == "WBADMIN.EXE") and + process.args : "catalog" and process.args : "delete" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-direct-outbound-smb-connection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-direct-outbound-smb-connection.asciidoc new file mode 100644 index 0000000000..c1c6ef8b18 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-direct-outbound-smb-connection.asciidoc @@ -0,0 +1,127 @@ +[[prebuilt-rule-8-11-7-direct-outbound-smb-connection]] +=== Direct Outbound SMB Connection + +Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Direct Outbound SMB Connection + +This rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=2m + [process where host.os.type == "windows" and event.type == "start" and process.pid != 4 and + not user.id : ("S-1-5-19", "S-1-5-20") and + not (process.code_signature.trusted == true and not process.code_signature.subject_name : "Microsoft *") and + not (process.name : "powershell.exe" and process.args : "?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_*.ps1")] + [network where host.os.type == "windows" and destination.port == 445 and process.pid != 4 and + not cidrmatch(destination.ip, "127.0.0.1", "::1")] +until [process where host.os.type == "windows" and event.type == "end"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc new file mode 100644 index 0000000000..38e946a261 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-8-11-7-disable-windows-event-and-security-logs-using-built-in-tools]] +=== Disable Windows Event and Security Logs Using Built-in Tools + +Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman +* https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic +* Ivan Ninichuck +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Disable Windows Event and Security Logs Using Built-in Tools + +Windows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response. + +This rule looks for the usage of different utilities to disable the EventLog service or specific event logs. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Re-enable affected logging components, services, and security monitoring. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + ((process.name:"logman.exe" or ?process.pe.original_file_name == "Logman.exe") and + process.args : "EventLog-*" and process.args : ("stop", "delete")) or + + ((process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or ?process.pe.original_file_name in + ("pwsh.exe", "powershell.exe", "powershell_ise.exe")) and + process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled") or + + ((process.name:"auditpol.exe" or ?process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Windows Event Logs +** ID: T1070.001 +** Reference URL: https://attack.mitre.org/techniques/T1070/001/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-disable-windows-firewall-rules-via-netsh.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-disable-windows-firewall-rules-via-netsh.asciidoc new file mode 100644 index 0000000000..1ff2d656d8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-disable-windows-firewall-rules-via-netsh.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-11-7-disable-windows-firewall-rules-via-netsh]] +=== Disable Windows Firewall Rules via Netsh + +Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Disable Windows Firewall Rules via Netsh + +The Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device. + +Attackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity. + +This rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the user to check if they are aware of the operation. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting. +- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : "netsh.exe" and + ( + (process.args : "disable" and process.args : "firewall" and process.args : "set") or + (process.args : "advfirewall" and process.args : "off" and process.args : "state") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify System Firewall +** ID: T1562.004 +** Reference URL: https://attack.mitre.org/techniques/T1562/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-dynamic-linker-copy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-dynamic-linker-copy.asciidoc new file mode 100644 index 0000000000..841ddf8c94 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-dynamic-linker-copy.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-11-7-dynamic-linker-copy]] +=== Dynamic Linker Copy + +Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Orbit +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Dynamic Linker Copy + +The Linux dynamic linker is responsible for loading shared libraries required by executables at runtime. It is a critical component of the Linux operating system and should not be tampered with. + +Adversaries may attempt to copy the dynamic linker binary and create a backup copy before patching it to inject and preload malicious shared object files. This technique has been observed in recent Linux malware attacks and is considered highly suspicious or malicious. + +The detection rule 'Dynamic Linker Copy' is designed to identify such abuse by monitoring for processes with names "cp" or "rsync" that involve copying the dynamic linker binary ("/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2") and modifying the "/etc/ld.so.preload" file. Additionally, the rule checks for the creation of new files with the "so" extension on Linux systems. By detecting these activities within a short time span (1 minute), the rule aims to alert security analysts to potential malicious behavior. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +### Possible investigation steps + +- Investigate the dynamic linker that was copied or altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (\n path = '/etc/ld.so.preload' OR\n path = '/lib64/ld-linux-x86-64.so.2' OR\n path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR\n path = '/usr/lib64/ld-linux-x86-64.so.2' OR\n path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2'\n)\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (\n path = '/etc/ld.so.preload' OR\n path = '/lib64/ld-linux-x86-64.so.2' OR\n path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR\n path = '/usr/lib64/ld-linux-x86-64.so.2' OR\n path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2'\n)\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. +- Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. +- The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Related Rules + +- Modification of Dynamic Linker Preload Shared Object Inside A Container - 342f834b-21a6-41bf-878c-87d116eba3ee +- Modification of Dynamic Linker Preload Shared Object - 717f82c2-7741-4f9b-85b8-d06aeb853f4f +- Shared Object Created or Changed by Previously Unknown Process - aebaa51f-2a91-4f6a-850b-b601db2293f4 + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m +[process where host.os.type == "linux" and event.type == "start" and process.name in ("cp", "rsync") and + process.args in ( + "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2", + "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2" + )] +[file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumerating-domain-trusts-via-dsquery-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumerating-domain-trusts-via-dsquery-exe.asciidoc new file mode 100644 index 0000000000..824c9f2d5b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumerating-domain-trusts-via-dsquery-exe.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-11-7-enumerating-domain-trusts-via-dsquery-exe]] +=== Enumerating Domain Trusts via DSQUERY.EXE + +Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11) +* https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Enumerating Domain Trusts via DSQUERY.EXE + +Active Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a "trusting" domain permits users from a "trusted" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains. + +This rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Related rules + +- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "dsquery.exe" or ?process.pe.original_file_name: "dsquery.exe") and + process.args : "*objectClass=trustedDomain*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Domain Trust Discovery +** ID: T1482 +** Reference URL: https://attack.mitre.org/techniques/T1482/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumerating-domain-trusts-via-nltest-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumerating-domain-trusts-via-nltest-exe.asciidoc new file mode 100644 index 0000000000..9acce5e41f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumerating-domain-trusts-via-nltest-exe.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-11-7-enumerating-domain-trusts-via-nltest-exe]] +=== Enumerating Domain Trusts via NLTEST.EXE + +Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +* https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Enumerating Domain Trusts via NLTEST.EXE + +Active Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a "trusting" domain permits users from a "trusted" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains. + +This rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Related rules + +- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : "nltest.exe" and process.args : ( + "/DCLIST:*", "/DCNAME:*", "/DSGET*", + "/LSAQUERYFTI:*", "/PARENTDOMAIN", + "/DOMAIN_TRUSTS", "/BDC_QUERY:*" + ) and +not process.parent.name : "PDQInventoryScanner.exe" and +not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Domain Trust Discovery +** ID: T1482 +** Reference URL: https://attack.mitre.org/techniques/T1482/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumeration-command-spawned-via-wmiprvse.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumeration-command-spawned-via-wmiprvse.asciidoc new file mode 100644 index 0000000000..54c4be35fd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumeration-command-spawned-via-wmiprvse.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-11-7-enumeration-command-spawned-via-wmiprvse]] +=== Enumeration Command Spawned via WMIPrvSE + +Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE). + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.command_line != null and + process.name: + ( + "arp.exe", + "dsquery.exe", + "dsget.exe", + "gpresult.exe", + "hostname.exe", + "ipconfig.exe", + "nbtstat.exe", + "net.exe", + "net1.exe", + "netsh.exe", + "netstat.exe", + "nltest.exe", + "ping.exe", + "qprocess.exe", + "quser.exe", + "qwinsta.exe", + "reg.exe", + "sc.exe", + "systeminfo.exe", + "tasklist.exe", + "tracert.exe", + "whoami.exe" + ) and + process.parent.name:"wmiprvse.exe" and + not ( + process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and + process.args : ("demand", "disabled") + ) and + not process.args : "tenable_mw_scan" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Technique: +** Name: Software Discovery +** ID: T1518 +** Reference URL: https://attack.mitre.org/techniques/T1518/ +* Technique: +** Name: System Network Configuration Discovery +** ID: T1016 +** Reference URL: https://attack.mitre.org/techniques/T1016/ +* Sub-technique: +** Name: Internet Connection Discovery +** ID: T1016.001 +** Reference URL: https://attack.mitre.org/techniques/T1016/001/ +* Technique: +** Name: Process Discovery +** ID: T1057 +** Reference URL: https://attack.mitre.org/techniques/T1057/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumeration-of-administrator-accounts.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumeration-of-administrator-accounts.asciidoc new file mode 100644 index 0000000000..48ec5511ee --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumeration-of-administrator-accounts.asciidoc @@ -0,0 +1,140 @@ +[[prebuilt-rule-8-11-7-enumeration-of-administrator-accounts]] +=== Enumeration of Administrator Accounts + +Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Enumeration of Administrator Accounts + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. + +This rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Related rules + +- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + ( + ( + (process.name : "net.exe" or ?process.pe.original_file_name == "net.exe") or + ((process.name : "net1.exe" or ?process.pe.original_file_name == "net1.exe") and not process.parent.name : "net.exe") + ) and + process.args : ("group", "user", "localgroup") and + process.args : ("*admin*", "Domain Admins", "Remote Desktop Users", "Enterprise Admins", "Organization Management") + and not process.args : ("/add", "/delete") + ) or + ( + (process.name : "wmic.exe" or ?process.pe.original_file_name == "wmic.exe") and + process.args : ("group", "useraccount") + ) +) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ +* Sub-technique: +** Name: Domain Groups +** ID: T1069.002 +** Reference URL: https://attack.mitre.org/techniques/T1069/002/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Local Account +** ID: T1087.001 +** Reference URL: https://attack.mitre.org/techniques/T1087/001/ +* Sub-technique: +** Name: Domain Account +** ID: T1087.002 +** Reference URL: https://attack.mitre.org/techniques/T1087/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumeration-of-kernel-modules.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumeration-of-kernel-modules.asciidoc new file mode 100644 index 0000000000..a9b0078b81 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumeration-of-kernel-modules.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-11-7-enumeration-of-kernel-modules]] +=== Enumeration of Kernel Modules + +Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 208 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:start and ( + (process.name:(lsmod or modinfo)) or + (process.name:kmod and process.args:list) or + (process.name:depmod and process.args:(--all or -a)) +) and not process.parent.name:(mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools +or readykernel or lvm2 or vz-start or iscsi or mdadm) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumeration-of-privileged-local-groups-membership.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumeration-of-privileged-local-groups-membership.asciidoc new file mode 100644 index 0000000000..d44485e93a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-enumeration-of-privileged-local-groups-membership.asciidoc @@ -0,0 +1,162 @@ +[[prebuilt-rule-8-11-7-enumeration-of-privileged-local-groups-membership]] +=== Enumeration of Privileged Local Groups Membership + +Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide + +*Version*: 210 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Enumeration of Privileged Local Groups Membership + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. + +This rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Identify the process, host and user involved on the event. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:windows and event.category:iam and event.action:user-member-enumerated and + ( + group.name:(*Admin* or "RemoteDesktopUsers") or + winlog.event_data.TargetSid:("S-1-5-32-544" or "S-1-5-32-555") + ) and + not ( + winlog.event_data.SubjectUserName: *$ or + winlog.event_data.SubjectUserSid: ("S-1-5-19" or "S-1-5-20") or + winlog.event_data.CallerProcessName:("-" or + *\:\\\\Windows\\\\System32\\\\VSSVC.exe or + *\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or + *\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or + *\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or + *\:\\\\Windows\\\\System32\\\\net1.exe or + *\:\\\\Windows\\\\System32\\\\svchost.exe or + *\:\\\\Windows\\\\System32\\\\Netplwiz.exe or + *\:\\\\Windows\\\\System32\\\\msiexec.exe or + *\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or + *\:\\\\Windows\\\\System32\\\\RuntimeBroker.exe or + *\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or + *\:\\\\Windows\\\\System32\\\\SrTasks.exe or + *\:\\\\Windows\\\\System32\\\\diskshadow.exe or + *\:\\\\Windows\\\\System32\\\\dfsrs.exe or + *\:\\\\Windows\\\\System32\\\\vssadmin.exe or + *\:\\\\Windows\\\\System32\\\\dllhost.exe or + *\:\\\\Windows\\\\System32\\\\mmc.exe or + *\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or + *\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or + *\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or + *\:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe or + *\:\\\\Windows\\\\System32\\\\mstsc.exe or + *\:\\\\Windows\\\\System32\\\\esentutl.exe or + *\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or + *\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or + *\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or + *\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or + *\:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe or + *\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe or + ?\:\\\\WindowsAzure\\\\*WaAppAgent.exe or + ?\:\\\\Program?Files?\(x86\)\\\\*.exe or + ?\:\\\\Program?Files\\\\*.exe or + ?\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-execution-from-unusual-directory-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-execution-from-unusual-directory-command-line.asciidoc new file mode 100644 index 0000000000..1d9aabf0e8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-execution-from-unusual-directory-command-line.asciidoc @@ -0,0 +1,245 @@ +[[prebuilt-rule-8-11-7-execution-from-unusual-directory-command-line]] +=== Execution from Unusual Directory - Command Line + +Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Execution from Unusual Directory - Command Line + +This rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to determine which commands or scripts were executed. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the script using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of parent process executable and command line conditions. + +### Related rules + +- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("wscript.exe", + "cscript.exe", + "rundll32.exe", + "regsvr32.exe", + "cmstp.exe", + "RegAsm.exe", + "installutil.exe", + "mshta.exe", + "RegSvcs.exe", + "powershell.exe", + "pwsh.exe", + "cmd.exe") and + + /* add suspicious execution paths here */ + process.args : ("C:\\PerfLogs\\*", + "C:\\Users\\Public\\*", + "C:\\Windows\\Tasks\\*", + "C:\\Intel\\*", + "C:\\AMD\\Temp\\*", + "C:\\Windows\\AppReadiness\\*", + "C:\\Windows\\ServiceState\\*", + "C:\\Windows\\security\\*", + "C:\\Windows\\IdentityCRL\\*", + "C:\\Windows\\Branding\\*", + "C:\\Windows\\csc\\*", + "C:\\Windows\\DigitalLocker\\*", + "C:\\Windows\\en-US\\*", + "C:\\Windows\\wlansvc\\*", + "C:\\Windows\\Prefetch\\*", + "C:\\Windows\\Fonts\\*", + "C:\\Windows\\diagnostics\\*", + "C:\\Windows\\TAPI\\*", + "C:\\Windows\\INF\\*", + "C:\\Windows\\System32\\Speech\\*", + "C:\\windows\\tracing\\*", + "c:\\windows\\IME\\*", + "c:\\Windows\\Performance\\*", + "c:\\windows\\intel\\*", + "c:\\windows\\ms\\*", + "C:\\Windows\\dot3svc\\*", + "C:\\Windows\\panther\\*", + "C:\\Windows\\RemotePackages\\*", + "C:\\Windows\\OCR\\*", + "C:\\Windows\\appcompat\\*", + "C:\\Windows\\apppatch\\*", + "C:\\Windows\\addins\\*", + "C:\\Windows\\Setup\\*", + "C:\\Windows\\Help\\*", + "C:\\Windows\\SKB\\*", + "C:\\Windows\\Vss\\*", + "C:\\Windows\\servicing\\*", + "C:\\Windows\\CbsTemp\\*", + "C:\\Windows\\Logs\\*", + "C:\\Windows\\WaaS\\*", + "C:\\Windows\\twain_32\\*", + "C:\\Windows\\ShellExperiences\\*", + "C:\\Windows\\ShellComponents\\*", + "C:\\Windows\\PLA\\*", + "C:\\Windows\\Migration\\*", + "C:\\Windows\\debug\\*", + "C:\\Windows\\Cursors\\*", + "C:\\Windows\\Containers\\*", + "C:\\Windows\\Boot\\*", + "C:\\Windows\\bcastdvr\\*", + "C:\\Windows\\TextInput\\*", + "C:\\Windows\\security\\*", + "C:\\Windows\\schemas\\*", + "C:\\Windows\\SchCache\\*", + "C:\\Windows\\Resources\\*", + "C:\\Windows\\rescache\\*", + "C:\\Windows\\Provisioning\\*", + "C:\\Windows\\PrintDialog\\*", + "C:\\Windows\\PolicyDefinitions\\*", + "C:\\Windows\\media\\*", + "C:\\Windows\\Globalization\\*", + "C:\\Windows\\L2Schemas\\*", + "C:\\Windows\\LiveKernelReports\\*", + "C:\\Windows\\ModemLogs\\*", + "C:\\Windows\\ImmersiveControlPanel\\*", + "C:\\$Recycle.Bin\\*") and + + /* noisy FP patterns */ + + not process.parent.executable : ("C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\*\\igfxCUIService*.exe", + "C:\\Windows\\System32\\spacedeskService.exe", + "C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe") and + not (process.name : "rundll32.exe" and + process.args : ("uxtheme.dll,#64", + "PRINTUI.DLL,PrintUIEntry", + "?:\\Windows\\System32\\FirewallControlPanel.dll,ShowNotificationDialog", + "?:\\WINDOWS\\system32\\Speech\\SpeechUX\\sapi.cpl", + "?:\\Windows\\system32\\shell32.dll,OpenAs_RunDLL")) and + + not (process.name : "cscript.exe" and process.args : "?:\\WINDOWS\\system32\\calluxxprovider.vbs") and + + not (process.name : "cmd.exe" and process.args : "?:\\WINDOWS\\system32\\powercfg.exe" and process.args : "?:\\WINDOWS\\inf\\PowerPlan.log") and + + not (process.name : "regsvr32.exe" and process.args : "?:\\Windows\\Help\\OEM\\scripts\\checkmui.dll") and + + not (process.name : "cmd.exe" and + process.parent.executable : ("?:\\Windows\\System32\\oobe\\windeploy.exe", + "?:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe", + "?:\\Windows\\System32\\igfxCUIService.exe", + "?:\\Windows\\Temp\\IE*.tmp\\IE*-support\\ienrcore.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc new file mode 100644 index 0000000000..8f96543adf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-8-11-7-execution-via-mssql-xp-cmdshell-stored-procedure]] +=== Execution via MSSQL xp_cmdshell Stored Procedure + +Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Execution via MSSQL xp_cmdshell Stored Procedure + +Microsoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence. + +The xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the command line to determine if the command executed is potentially harmful or malicious. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. + +### False positive analysis + +- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions — preferably with a full command line. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources. +- Disable the xp_cmdshell stored procedure. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and + ( + (process.name : "cmd.exe" and + not process.args : ("\\\\*", "diskfree", "rmdir", "mkdir", "dir", "del", "rename", "bcp", "*XMLNAMESPACES*", + "?:\\MSSQL\\Backup\\Jobs\\sql_agent_backup_job.ps1", "K:\\MSSQL\\Backup\\msdb", "K:\\MSSQL\\Backup\\Logins")) or + + (process.name : "vpnbridge.exe" or ?process.pe.original_file_name : "vpnbridge.exe") or + + (process.name : "certutil.exe" or ?process.pe.original_file_name == "CertUtil.exe") or + + (process.name : "bitsadmin.exe" or ?process.pe.original_file_name == "bitsadmin.exe") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: SQL Stored Procedures +** ID: T1505.001 +** Reference URL: https://attack.mitre.org/techniques/T1505/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-execution-via-windows-subsystem-for-linux.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-execution-via-windows-subsystem-for-linux.asciidoc new file mode 100644 index 0000000000..936c32ba6e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-execution-via-windows-subsystem-for-linux.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-11-7-execution-via-windows-subsystem-for-linux]] +=== Execution via Windows Subsystem for Linux + +Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/windows/wsl/wsl-config + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type : "start" and + process.parent.name : ("wsl.exe", "wslhost.exe") and + not process.executable : ( + "?:\\Program Files (x86)\\*", + "?:\\Program Files\\*", + "?:\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe", + "?:\\Windows\\System32\\conhost.exe", + "?:\\Windows\\System32\\lxss\\wslhost.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\Sys*\\wslconfig.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indirect Command Execution +** ID: T1202 +** Reference URL: https://attack.mitre.org/techniques/T1202/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-expired-or-revoked-driver-loaded.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-expired-or-revoked-driver-loaded.asciidoc new file mode 100644 index 0000000000..0dfc5745e8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-expired-or-revoked-driver-loaded.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-11-7-expired-or-revoked-driver-loaded]] +=== Expired or Revoked Driver Loaded + +Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +driver where host.os.type == "windows" and process.pid == 4 and + dll.code_signature.status : ("errorExpired", "errorRevoked") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-exploit-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-exploit-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..1646676970 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-exploit-detected-elastic-endgame.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-11-7-exploit-detected-elastic-endgame]] +=== Exploit - Detected - Elastic Endgame + +Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Privilege Escalation + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-exploit-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-exploit-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..7863d793b3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-exploit-prevented-elastic-endgame.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-11-7-exploit-prevented-elastic-endgame]] +=== Exploit - Prevented - Elastic Endgame + +Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Privilege Escalation + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-file-creation-time-changed.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-file-creation-time-changed.asciidoc new file mode 100644 index 0000000000..e2bf61ce70 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-file-creation-time-changed.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-7-file-creation-time-changed]] +=== File Creation Time Changed + +Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.code : "2" and + + /* Requires Sysmon EventID 2 - File creation time change */ + event.action : "File creation time changed*" and + + not process.executable : + ("?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\system32\\cleanmgr.exe", + "?:\\Windows\\system32\\msiexec.exe", + "?:\\Windows\\syswow64\\msiexec.exe", + "?:\\Windows\\system32\\svchost.exe", + "?:\\WINDOWS\\system32\\backgroundTaskHost.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", + "?:\\Users\\*\\AppData\\Local\\slack\\app-*\\slack.exe", + "?:\\Users\\*\\AppData\\Local\\GitHubDesktop\\app-*\\GitHubDesktop.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe") and + not file.extension : ("temp", "tmp", "~tmp", "xml", "newcfg") and not user.name : ("SYSTEM", "Local Service", "Network Service") and + not file.name : ("LOG", "temp-index", "license.rtf", "iconcache_*.db") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Timestomp +** ID: T1070.006 +** Reference URL: https://attack.mitre.org/techniques/T1070/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-file-made-immutable-by-chattr.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-file-made-immutable-by-chattr.asciidoc new file mode 100644 index 0000000000..78eae55046 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-file-made-immutable-by-chattr.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-7-file-made-immutable-by-chattr]] +=== File made Immutable by Chattr + +Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and user.id == "0" and + process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and + not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd") and + not process.parent.name in ("systemd", "cf-agent", "ntpdate", "xargs", "px", "preinst", "auth") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ +* Sub-technique: +** Name: Linux and Mac File and Directory Permissions Modification +** ID: T1222.002 +** Reference URL: https://attack.mitre.org/techniques/T1222/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-file-permission-modification-in-writable-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-file-permission-modification-in-writable-directory.asciidoc new file mode 100644 index 0000000000..92ca5b3e6d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-file-permission-modification-in-writable-directory.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-11-7-file-permission-modification-in-writable-directory]] +=== File Permission Modification in Writable Directory + +Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 208 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:process and event.type:start and +process.name:((chattr or chgrp or chmod or chown) and +not (apt-key or update-motd-updates-available)) and +process.working_directory:(/dev/shm or /tmp or /var/tmp) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-file-system-debugger-launched-inside-a-privileged-container.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-file-system-debugger-launched-inside-a-privileged-container.asciidoc new file mode 100644 index 0000000000..65a18f3bc1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-file-system-debugger-launched-inside-a-privileged-container.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-8-11-7-file-system-debugger-launched-inside-a-privileged-container]] +=== File System Debugger Launched Inside a Privileged Container + +This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine. + +*Rule type*: eql + +*Rule indices*: + +* logs-cloud_defend* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cyberark.wistia.com/medias/ygbzkzx93q?wvideo=ygbzkzx93q +* https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged + +*Tags*: + +* Data Source: Elastic Defend for Containers +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.module == "cloud_defend" and + event.type == "start" and process.name == "debugfs" and + process.args : "/dev/sd*" and not process.args == "-R" and + container.security_context.privileged == true + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Escape to Host +** ID: T1611 +** Reference URL: https://attack.mitre.org/techniques/T1611/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-github-app-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-github-app-deleted.asciidoc new file mode 100644 index 0000000000..cfcf442137 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-github-app-deleted.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-11-7-github-app-deleted]] +=== GitHub App Deleted + +Detects the deletion of a GitHub app either from a repo or an organization. + +*Rule type*: eql + +*Rule indices*: + +* logs-github.audit-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Cloud +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Github + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Serverless Execution +** ID: T1648 +** Reference URL: https://attack.mitre.org/techniques/T1648/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-github-owner-role-granted-to-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-github-owner-role-granted-to-user.asciidoc new file mode 100644 index 0000000000..93bb8fc769 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-github-owner-role-granted-to-user.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-11-7-github-owner-role-granted-to-user]] +=== GitHub Owner Role Granted To User + +This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. + +*Rule type*: eql + +*Rule indices*: + +* logs-github.audit-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Cloud +* Use Case: Threat Detection +* Use Case: UEBA +* Tactic: Persistence +* Data Source: Github + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Additional Cloud Roles +** ID: T1098.003 +** Reference URL: https://attack.mitre.org/techniques/T1098/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-github-repository-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-github-repository-deleted.asciidoc new file mode 100644 index 0000000000..6f9a9cbbaa --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-github-repository-deleted.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-11-7-github-repository-deleted]] +=== GitHub Repository Deleted + +This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization. + +*Rule type*: eql + +*Rule indices*: + +* logs-github.audit-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Cloud +* Use Case: Threat Detection +* Use Case: UEBA +* Tactic: Impact +* Data Source: Github + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +configuration where event.module == "github" and event.action == "repo.destroy" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-github-ueba-multiple-alerts-from-a-github-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-github-ueba-multiple-alerts-from-a-github-account.asciidoc new file mode 100644 index 0000000000..f2e1e7d035 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-github-ueba-multiple-alerts-from-a-github-account.asciidoc @@ -0,0 +1,56 @@ +[[prebuilt-rule-8-11-7-github-ueba-multiple-alerts-from-a-github-account]] +=== GitHub UEBA - Multiple Alerts from a GitHub Account + +This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to determine when multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user accounts or PATs. + +*Rule type*: threshold + +*Rule indices*: + +* .alerts-security.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Cloud +* Use Case: Threat Detection +* Use Case: UEBA +* Tactic: Execution +* Rule Type: Higher-Order Rule +* Data Source: Github + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-high-number-of-cloned-github-repos-from-pat.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-high-number-of-cloned-github-repos-from-pat.asciidoc new file mode 100644 index 0000000000..648528a934 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-high-number-of-cloned-github-repos-from-pat.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-11-7-high-number-of-cloned-github-repos-from-pat]] +=== High Number of Cloned GitHub Repos From PAT + +Detects a high number of unique private repo clone events originating from a single personal access token within a short time period. + +*Rule type*: threshold + +*Rule indices*: + +* logs-github.audit-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Cloud +* Use Case: Threat Detection +* Use Case: UEBA +* Tactic: Execution +* Data Source: Github + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and +github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and +github.repository_public:false + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Serverless Execution +** ID: T1648 +** Reference URL: https://attack.mitre.org/techniques/T1648/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc new file mode 100644 index 0000000000..c69eb4032b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-11-7-high-number-of-okta-user-password-reset-or-unlock-attempts]] +=== High Number of Okta User Password Reset or Unlock Attempts + +Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy + +*Tags*: + +* Use Case: Identity and Access Audit +* Data Source: Okta +* Tactic: Defense Evasion + +*Version*: 208 + +*Rule authors*: + +* Elastic +* @BenB196 +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating High Number of Okta User Password Reset or Unlock Attempts + +This rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account. + +#### Possible investigation steps: +- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose. +- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`. +- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts. +- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts. +- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack. +- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity. + +### False positive analysis: +- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts. +- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive. + +### Response and remediation: +- If unauthorized attempts are confirmed, initiate the incident response process. +- Reset the user's password and enforce MFA re-enrollment, if applicable. +- Block the IP address or device used in the attempts, if they appear suspicious. +- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques. +- Consider a security review of your Okta policies and rules to ensure they follow security best practices. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and + event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or + system.sms.send_account_unlock_message or system.sms.send_password_reset_message or + system.voice.send_account_unlock_call or system.voice.send_password_reset_call or + user.account.unlock_token) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-high-number-of-process-and-or-service-terminations.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-high-number-of-process-and-or-service-terminations.asciidoc new file mode 100644 index 0000000000..637c440622 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-high-number-of-process-and-or-service-terminations.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-8-11-7-high-number-of-process-and-or-service-terminations]] +=== High Number of Process and/or Service Terminations + +This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period. + +*Rule type*: threshold + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/luna-ransomware-attack-pattern + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating High Number of Process and/or Service Terminations + +Attackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc. + +This rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if any files on the host machine have been encrypted. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system or restore it to the operational state. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and + process.args:(stop or pause or delete or "/PID" or "/IM" or "/T" or "/F" or "/t" or "/f" or "/im" or "/pid") and + not process.parent.name:osquerybeat.exe + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Service Stop +** ID: T1489 +** Reference URL: https://attack.mitre.org/techniques/T1489/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-high-number-of-process-terminations.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-high-number-of-process-terminations.asciidoc new file mode 100644 index 0000000000..49ee70711e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-high-number-of-process-terminations.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-11-7-high-number-of-process-terminations]] +=== High Number of Process Terminations + +This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 111 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating High Number of Process Terminations + +Attackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc. + +This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. + +#### Possible investigation steps + +- Examine the entry point to the host and user in action via the Analyse View. + - Identify the session entry leader and session user. +- Examine the contents of session leading to the process termination(s) via the Session View. + - Examine the command execution pattern in the session, which may lead to suspricous activities. +- Examine the process killed during the malicious execution + - Identify imment threat to the system from the process killed. + - Take necessary incident response actions to respawn necessary process. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system or restore it to the operational state. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Service Stop +** ID: T1489 +** Reference URL: https://attack.mitre.org/techniques/T1489/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-host-files-system-changes-via-windows-subsystem-for-linux.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-host-files-system-changes-via-windows-subsystem-for-linux.asciidoc new file mode 100644 index 0000000000..1b515357d6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-host-files-system-changes-via-windows-subsystem-for-linux.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-7-host-files-system-changes-via-windows-subsystem-for-linux]] +=== Host Files System Changes via Windows Subsystem for Linux + +Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/microsoft/WSL + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=5m + [process where host.os.type == "windows" and event.type == "start" and + process.name : "dllhost.exe" and + /* Plan9FileSystem CLSID - WSL Host File System Worker */ + process.command_line : "*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*"] + [file where host.os.type == "windows" and process.name : "dllhost.exe" and not file.path : "?:\\Users\\*\\Downloads\\*"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indirect Command Execution +** ID: T1202 +** Reference URL: https://attack.mitre.org/techniques/T1202/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-iis-http-logging-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-iis-http-logging-disabled.asciidoc new file mode 100644 index 0000000000..4e181ee3df --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-iis-http-logging-disabled.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-11-7-iis-http-logging-disabled]] +=== IIS HTTP Logging Disabled + +Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating IIS HTTP Logging Disabled + +IIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools. + +IIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response. + +This rule monitors commands that disable IIS logging. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Verify whether the logs stored in the `C:\inetpub\logs\logfiles\w3svc1` directory were deleted after this action. +- Check if this operation is done under change management and approved according to the organization's policy. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Re-enable affected logging components, services, and security monitoring. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "appcmd.exe" or ?process.pe.original_file_name == "appcmd.exe") and + process.args : "/dontLog*:*True" and + not process.parent.name : "iissetup.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-imageload-via-windows-update-auto-update-client.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-imageload-via-windows-update-auto-update-client.asciidoc new file mode 100644 index 0000000000..a0941942e6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-imageload-via-windows-update-auto-update-client.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-8-11-7-imageload-via-windows-update-auto-update-client]] +=== ImageLoad via Windows Update Auto Update Client + +Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://dtm.uk/wuauclt/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating ImageLoad via Windows Update Auto Update Client + +The Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. + +This rule identifies potential abuse for code execution by monitoring for specific process arguments ("/RunHandlerComServer" and "/UpdateDeploymentProvider") and common writable paths where the target DLL can be placed (e.g., "C:\Users\*.dll", "C:\ProgramData\*.dll", etc.). + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes. +- Examine the command line and identify the DLL location. +- Examine whether the DLL is signed. +- Retrieve the DLL and determine if it is malicious: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (?process.pe.original_file_name == "wuauclt.exe" or process.name : "wuauclt.exe") and + /* necessary windows update client args to load a dll */ + process.args : "/RunHandlerComServer" and process.args : "/UpdateDeploymentProvider" and + /* common paths writeable by a standard user where the target DLL can be placed */ + process.args : ("C:\\Users\\*.dll", "C:\\ProgramData\\*.dll", "C:\\Windows\\Temp\\*.dll", "C:\\Windows\\Tasks\\*.dll") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-kernel-driver-load-by-non-root-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-kernel-driver-load-by-non-root-user.asciidoc new file mode 100644 index 0000000000..26f3434361 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-kernel-driver-load-by-non-root-user.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-11-7-kernel-driver-load-by-non-root-user]] +=== Kernel Driver Load by non-root User + +Detects the loading of a Linux kernel module by a non-root user through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager. + +*Rule type*: eql + +*Rule indices*: + +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +driver where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and +event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Rootkit +** ID: T1014 +** Reference URL: https://attack.mitre.org/techniques/T1014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-kernel-module-load-via-insmod.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-kernel-module-load-via-insmod.asciidoc new file mode 100644 index 0000000000..d225ab14e8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-kernel-module-load-via-insmod.asciidoc @@ -0,0 +1,148 @@ +[[prebuilt-rule-8-11-7-kernel-module-load-via-insmod]] +=== Kernel Module Load via insmod + +Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Rootkit +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Kernel module load via insmod + +The insmod binary is a Linux utility that allows users with root privileges to load kernel modules, which are object files that extend the functionality of the kernel. + +Threat actors can abuse this utility to load rootkits, granting them full control over the system and the ability to evade security products. + +The detection rule 'Kernel module load via insmod' is designed to identify instances where the insmod binary is used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +### Possible investigation steps + +- Investigate the kernel object file that was loaded via insmod. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} +- Investigate the kernel ring buffer for any warnings or messages, such as tainted or out-of-tree kernel module loads through `dmesg`. +- Investigate syslog for any unusual segfaults or other messages. Rootkits may be installed on targets with different architecture as expected, and could potentially cause segmentation faults. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - $osquery_6 + +### False positive analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Related Rules + +- Kernel Driver Load - 3e12a439-d002-4944-bc42-171c0dcb9b96 +- Tainted Out-Of-Tree Kernel Module Load - 51a09737-80f7-4551-a3be-dac8ef5d181a +- Tainted Kernel Module Load - 05cad2fb-200c-407f-b472-02ea8c9e5e4a +- Attempt to Clear Kernel Ring Buffer - 2724808c-ba5d-48b2-86d2-0002103df753 +- Enumeration of Kernel Modules via Proc - 80084fa9-8677-4453-8680-b891d3c0c778 +- Suspicious Modprobe File Event - 40ddbcc8-6561-44d9-afc8-eefdbfe0cccd +- Kernel Module Removal - cd66a5af-e34b-4bb0-8931-57d0a043f2ef +- Enumeration of Kernel Modules - 2d8043ed-5bda-4caf-801c-c1feb7410504 + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" +and not process.parent.name in ("cisco-amp-helper", "ksplice-apply") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-malware-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-malware-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..ed81536e83 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-malware-detected-elastic-endgame.asciidoc @@ -0,0 +1,44 @@ +[[prebuilt-rule-8-11-7-malware-detected-elastic-endgame]] +=== Malware - Detected - Elastic Endgame + +Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-malware-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-malware-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..7ae6900d0f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-malware-prevented-elastic-endgame.asciidoc @@ -0,0 +1,44 @@ +[[prebuilt-rule-8-11-7-malware-prevented-elastic-endgame]] +=== Malware - Prevented - Elastic Endgame + +Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-build-engine-started-an-unusual-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-build-engine-started-an-unusual-process.asciidoc new file mode 100644 index 0000000000..24bd739bd2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-build-engine-started-an-unusual-process.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-11-7-microsoft-build-engine-started-an-unusual-process]] +=== Microsoft Build Engine Started an Unusual Process + +An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 209 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:windows and event.category:process and event.type:start and process.parent.name:("MSBuild.exe" or "msbuild.exe") and +process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Sub-technique: +** Name: Compile After Delivery +** ID: T1027.004 +** Reference URL: https://attack.mitre.org/techniques/T1027/004/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc new file mode 100644 index 0000000000..9c5e00bc16 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-11-7-microsoft-exchange-server-um-spawning-suspicious-processes]] +=== Microsoft Exchange Server UM Spawning Suspicious Processes + +Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers +* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("UMService.exe", "UMWorkerProcess.exe") and + not process.executable : + ("?:\\Windows\\System32\\werfault.exe", + "?:\\Windows\\System32\\wermgr.exe", + "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe", + "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe", + "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe", + "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe", + "D:\\Exchange\\Bin\\UMWorkerProcess.exe", + "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe", + "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc new file mode 100644 index 0000000000..a5c197014a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-8-11-7-microsoft-exchange-worker-spawning-suspicious-processes]] +=== Microsoft Exchange Worker Spawning Suspicious Processes + +Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers +* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities +* https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and + (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or + ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-iis-connection-strings-decryption.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-iis-connection-strings-decryption.asciidoc new file mode 100644 index 0000000000..a932eeb5f5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-iis-connection-strings-decryption.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-7-microsoft-iis-connection-strings-decryption]] +=== Microsoft IIS Connection Strings Decryption + +Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: + +* https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/ +* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and + process.args : "connectionStrings" and process.args : "-pdf" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-iis-service-account-password-dumped.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-iis-service-account-password-dumped.asciidoc new file mode 100644 index 0000000000..00b33ab1f3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-microsoft-iis-service-account-password-dumped.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-7-microsoft-iis-service-account-password-dumped]] +=== Microsoft IIS Service Account Password Dumped + +Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: + +* https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "appcmd.exe" or ?process.pe.original_file_name == "appcmd.exe") and + process.args : "/list" and process.args : "/text*password" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-modification-of-openssh-binaries.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-modification-of-openssh-binaries.asciidoc new file mode 100644 index 0000000000..647a9069f0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-modification-of-openssh-binaries.asciidoc @@ -0,0 +1,168 @@ +[[prebuilt-rule-8-11-7-modification-of-openssh-binaries]] +=== Modification of OpenSSH Binaries + +Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Persistence +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Modification of OpenSSH Binaries + +OpenSSH is a widely used suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides encrypted communication sessions over a computer network. + +Adversaries may exploit OpenSSH by modifying its binaries, such as `/usr/bin/scp`, `/usr/bin/sftp`, `/usr/bin/ssh`, `/usr/sbin/sshd`, or `libkeyutils.so`, to gain unauthorized access or exfiltrate SSH credentials. + +The detection rule 'Modification of OpenSSH Binaries' is designed to identify such abuse by monitoring file changes in the Linux environment. It triggers an alert when a process, modifies any of the specified OpenSSH binaries or libraries. This helps security analysts detect potential malicious activities and take appropriate action. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + +### False positive analysis + +- Regular users should not need to modify OpenSSH binaries, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:linux and event.type:change and + process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron)) and + (file.path:(/usr/bin/scp or + /usr/bin/sftp or + /usr/bin/ssh or + /usr/sbin/sshd) or + file.name:libkeyutils.so) and + not process.executable:/usr/share/elasticsearch/* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ +* Technique: +** Name: Remote Service Session Hijacking +** ID: T1563 +** Reference URL: https://attack.mitre.org/techniques/T1563/ +* Sub-technique: +** Name: SSH Hijacking +** ID: T1563.001 +** Reference URL: https://attack.mitre.org/techniques/T1563/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-mount-launched-inside-a-privileged-container.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-mount-launched-inside-a-privileged-container.asciidoc new file mode 100644 index 0000000000..8e89159cca --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-mount-launched-inside-a-privileged-container.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-11-7-mount-launched-inside-a-privileged-container]] +=== Mount Launched Inside a Privileged Container + +This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a device or file system accessible to the system, and then to connect its root directory to a specified mount point on the local file system. When launched inside a privileged container--a container deployed with all the capabilities of the host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine. Any usage of mount inside a running privileged container should be further investigated. + +*Rule type*: eql + +*Rule indices*: + +* logs-cloud_defend* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged + +*Tags*: + +* Data Source: Elastic Defend for Containers +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.module == "cloud_defend" and event.type== "start" and +(process.name== "mount" or process.args== "mount") and container.security_context.privileged == true + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Escape to Host +** ID: T1611 +** Reference URL: https://attack.mitre.org/techniques/T1611/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-msbuild-making-network-connections.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-msbuild-making-network-connections.asciidoc new file mode 100644 index 0000000000..6e9174b8cc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-msbuild-making-network-connections.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-8-11-7-msbuild-making-network-connections]] +=== MsBuild Making Network Connections + +Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating MsBuild Making Network Connections + +By examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation. + +The Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution. + +This rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. + - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware. +- Investigate the target host that the signed binary is communicating with. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where host.os.type == "windows" and process.name : "MSBuild.exe" and event.type == "start"] + [network where host.os.type == "windows" and process.name : "MSBuild.exe" and + not cidrmatch(destination.ip, "127.0.0.1", "::1") and + not dns.question.name : "localhost"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-network-activity-detected-via-kworker.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-network-activity-detected-via-kworker.asciidoc new file mode 100644 index 0000000000..c51ef67aee --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-network-activity-detected-via-kworker.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-11-7-network-activity-detected-via-kworker]] +=== Network Activity Detected via Kworker + +This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and +process.name:kworker* and not destination.ip:( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.168.0.0/16 or + 224.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Technique: +** Name: Rootkit +** ID: T1014 +** Reference URL: https://attack.mitre.org/techniques/T1014/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-network-connection-via-compiled-html-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-network-connection-via-compiled-html-file.asciidoc new file mode 100644 index 0000000000..f7c5318950 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-network-connection-via-compiled-html-file.asciidoc @@ -0,0 +1,156 @@ +[[prebuilt-rule-8-11-7-network-connection-via-compiled-html-file]] +=== Network Connection via Compiled HTML File + +Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Network Connection via Compiled HTML File + +CHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX. + +When users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods. + +This rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - Examine the command lines for suspicious activities. + - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination. + - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. + - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware. +- Investigate the target host that the signed binary is communicating with. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where host.os.type == "windows" and process.name : "hh.exe" and event.type == "start"] + [network where host.os.type == "windows" and process.name : "hh.exe" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8") and + not dns.question.name : "localhost"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Compiled HTML File +** ID: T1218.001 +** Reference URL: https://attack.mitre.org/techniques/T1218/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-network-connection-via-recently-compiled-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-network-connection-via-recently-compiled-executable.asciidoc new file mode 100644 index 0000000000..75b5985d26 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-network-connection-via-recently-compiled-executable.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-11-7-network-connection-via-recently-compiled-executable]] +=== Network Connection via Recently Compiled Executable + +This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name in ("gcc", "g++", "cc")] by process.args + [file where host.os.type == "linux" and event.action == "creation" and process.name == "ld"] by file.name + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start"] by process.name + [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip != null and + not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.name + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-new-github-owner-added.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-new-github-owner-added.asciidoc new file mode 100644 index 0000000000..32bc45dc3b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-new-github-owner-added.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-11-7-new-github-owner-added]] +=== New GitHub Owner Added + +Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. + +*Rule type*: eql + +*Rule indices*: + +* logs-github.audit-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Cloud +* Use Case: Threat Detection +* Use Case: UEBA +* Tactic: Persistence +* Data Source: Github + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Cloud Account +** ID: T1136.003 +** Reference URL: https://attack.mitre.org/techniques/T1136/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-new-systemd-service-created-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-new-systemd-service-created-by-previously-unknown-process.asciidoc new file mode 100644 index 0000000000..9ea035344b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-new-systemd-service-created-by-previously-unknown-process.asciidoc @@ -0,0 +1,174 @@ +[[prebuilt-rule-8-11-7-new-systemd-service-created-by-previously-unknown-process]] +=== New Systemd Service Created by Previously Unknown Process + +Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://opensource.com/article/20/7/systemd-timers +* https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating New Systemd Service Created by Previously Unknown Process + +Systemd service files are configuration files in Linux systems used to define and manage system services. + +Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. + +This rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the systemd service file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`. +- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (\npath LIKE '/etc/systemd/system/%' OR \npath LIKE '/usr/local/lib/systemd/system/%' OR \npath LIKE '/lib/systemd/system/%' OR\npath LIKE '/usr/lib/systemd/system/%' OR\npath LIKE '/home/user/.config/systemd/user/%'\n)\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (\npath LIKE '/etc/systemd/system/%' OR \npath LIKE '/usr/local/lib/systemd/system/%' OR \npath LIKE '/lib/systemd/system/%' OR\npath LIKE '/usr/lib/systemd/system/%' OR\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\n)\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Related Rules + +- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f +- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b +- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:file and event.action:("creation" or "file_create_event") and file.path:( + /etc/systemd/system/* or + /usr/local/lib/systemd/system/* or + /lib/systemd/system/* or + /usr/lib/systemd/system/* or + /home/*/.config/systemd/user/* +) and +not ( + process.name:( + "dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or "puppetd" or + "elastic-agent" or "cinc-client" or "chef-client" or "pacman" or "puppet" or "cloudflared" or "packagekitd" or + "podman" + ) or + file.extension:("swp" or "swpx") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-new-systemd-timer-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-new-systemd-timer-created.asciidoc new file mode 100644 index 0000000000..12512823cd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-new-systemd-timer-created.asciidoc @@ -0,0 +1,144 @@ +[[prebuilt-rule-8-11-7-new-systemd-timer-created]] +=== New Systemd Timer Created + +Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://opensource.com/article/20/7/systemd-timers +* https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating New Systemd Timer Created + +Systemd timers are used for scheduling and automating recurring tasks or services on Linux systems. + +Attackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. + +This rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the timer file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`. +- Search for the systemd service file named similarly to the timer that was created. +- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (\npath LIKE '/etc/systemd/system/%' OR \npath LIKE '/usr/local/lib/systemd/system/%' OR \npath LIKE '/lib/systemd/system/%' OR\npath LIKE '/usr/lib/systemd/system/%' OR\npath LIKE '/home/user/.config/systemd/user/%'\n)\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (\npath LIKE '/etc/systemd/system/%' OR \npath LIKE '/usr/local/lib/systemd/system/%' OR \npath LIKE '/lib/systemd/system/%' OR\npath LIKE '/usr/lib/systemd/system/%' OR\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\n)\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and +file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or +/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not ( + (process.name : ( + "docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor" or "cloudflared" or "pacman" or "podman" or + "pamac-daemon" + )) + or (file.name:apt-*.timer) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Systemd Timers +** ID: T1053.006 +** Reference URL: https://attack.mitre.org/techniques/T1053/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-ntds-or-sam-database-file-copied.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-ntds-or-sam-database-file-copied.asciidoc new file mode 100644 index 0000000000..f034ecc151 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-ntds-or-sam-database-file-copied.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-8-11-7-ntds-or-sam-database-file-copied]] +=== NTDS or SAM Database File Copied + +Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: + +* https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ +* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating NTDS or SAM Database File Copied + +The Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials. + +This rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access. +- Determine whether the file was potentially exfiltrated from the subject host. +- Scope compromised credentials and disable the accounts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. + - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + ( + ((?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") or process.name : ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE")) and + process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") + ) or + ((?process.pe.original_file_name : "esentutl.exe" or process.name : "esentutl.exe") and process.args : ("*/y*", "*/vss*", "*/d*")) + ) and + process.command_line : ("*\\ntds.dit*", "*\\config\\SAM*", "*\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*", "*\\User Data\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: NTDS +** ID: T1003.003 +** Reference URL: https://attack.mitre.org/techniques/T1003/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-o365-excessive-single-sign-on-logon-errors.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-o365-excessive-single-sign-on-logon-errors.asciidoc new file mode 100644 index 0000000000..93723547e0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-o365-excessive-single-sign-on-logon-errors.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-7-o365-excessive-single-sign-on-logon-errors]] +=== O365 Excessive Single Sign-On Logon Errors + +Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Cloud +* Data Source: Microsoft 365 +* Use Case: Identity and Access Audit +* Tactic: Credential Access + +*Version*: 103 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-okta-brute-force-or-password-spraying-attack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-okta-brute-force-or-password-spraying-attack.asciidoc new file mode 100644 index 0000000000..0a8c27c696 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-okta-brute-force-or-password-spraying-attack.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-8-11-7-okta-brute-force-or-password-spraying-attack]] +=== Okta Brute Force or Password Spraying Attack + +Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy + +*Tags*: + +* Use Case: Identity and Access Audit +* Tactic: Credential Access +* Data Source: Okta + +*Version*: 208 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Okta Brute Force or Password Spraying Attack + +This rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords. + +#### Possible investigation steps: + +- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated. +- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts. +- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack. +- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool? +- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location? +- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins? + +### False positive analysis: + +- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive. +- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive. + +### Response and remediation: + +- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level. +- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords. +- Enhance monitoring on the affected user accounts for any suspicious activity. +- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts. +- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts. +- Review and update your security policies based on the findings from the incident. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.category:authentication and event.outcome:failure + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-permission-theft-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-permission-theft-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..54ca72869d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-permission-theft-detected-elastic-endgame.asciidoc @@ -0,0 +1,57 @@ +[[prebuilt-rule-8-11-7-permission-theft-detected-elastic-endgame]] +=== Permission Theft - Detected - Elastic Endgame + +Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-permission-theft-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-permission-theft-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..3b733bcc59 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-permission-theft-prevented-elastic-endgame.asciidoc @@ -0,0 +1,57 @@ +[[prebuilt-rule-8-11-7-permission-theft-prevented-elastic-endgame]] +=== Permission Theft - Prevented - Elastic Endgame + +Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc new file mode 100644 index 0000000000..cef8f0b24c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc @@ -0,0 +1,149 @@ +[[prebuilt-rule-8-11-7-persistence-via-kde-autostart-script-or-desktop-file-modification]] +=== Persistence via KDE AutoStart Script or Desktop File Modification + +Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://userbase.kde.org/System_Settings/Autostart +* https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/ +* https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Persistence via KDE AutoStart Script or Desktop File Modification + +K Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon. + +Adversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files. + +The detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions ".sh" or ".desktop" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +### Possible investigation steps + +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (\n path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR\n path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR\n path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR\n path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR\n path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR\n path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR\n path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR\n path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR\n path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR\n path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR\n path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR\n path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR\n path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR\n path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR\n path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR\n path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop'\n)\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (\n path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR\n path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR\n path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR\n path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR\n path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR\n path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR\n path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR\n path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR\n path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR\n path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR\n path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR\n path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR\n path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR\n path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR\n path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR\n path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop'\n)\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + +### False positive analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type != "deletion" and + file.extension in ("sh", "desktop") and + file.path : + ( + "/home/*/.config/autostart/*", "/root/.config/autostart/*", + "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*", + "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*", + "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*", + "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*", + "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*", + "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*", + "/etc/xdg/autostart/*", "/usr/share/autostart/*" + ) and + not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", + "rpm", "pacman", "podman", "nautilus", "remmina", "cinnamon-settings.py") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-persistence-via-scheduled-job-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-persistence-via-scheduled-job-creation.asciidoc new file mode 100644 index 0000000000..4d262526a5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-persistence-via-scheduled-job-creation.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-11-7-persistence-via-scheduled-job-creation]] +=== Persistence via Scheduled Job Creation + +A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job" and + not ( + ( + process.executable : "?:\\Program Files\\CCleaner\\CCleaner64.exe" and + file.path : "?:\\Windows\\Tasks\\CCleanerCrashReporting.job" + ) or + ( + process.executable : ( + "?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentregister.exe", + "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentregister.exe" + ) and + file.path : "?:\\Windows\\Tasks\\DCAgentUpdater.job" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc new file mode 100644 index 0000000000..1a22c2abfd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-8-11-7-persistence-via-telemetrycontroller-scheduled-task-hijack]] +=== Persistence via TelemetryController Scheduled Task Hijack + +Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "CompatTelRunner.exe" and process.args : "-cv*" and + not process.name : ("conhost.exe", + "DeviceCensus.exe", + "CompatTelRunner.exe", + "DismHost.exe", + "rundll32.exe", + "powershell.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-persistence-via-wmi-event-subscription.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-persistence-via-wmi-event-subscription.asciidoc new file mode 100644 index 0000000000..1386d1f9ea --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-persistence-via-wmi-event-subscription.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-11-7-persistence-via-wmi-event-subscription]] +=== Persistence via WMI Event Subscription + +An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "wmic.exe" or ?process.pe.original_file_name == "wmic.exe") and + process.args : "create" and + process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Windows Management Instrumentation Event Subscription +** ID: T1546.003 +** Reference URL: https://attack.mitre.org/techniques/T1546/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-application-shimming-via-sdbinst.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-application-shimming-via-sdbinst.asciidoc new file mode 100644 index 0000000000..e09be2aed3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-application-shimming-via-sdbinst.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-11-7-potential-application-shimming-via-sdbinst]] +=== Potential Application Shimming via Sdbinst + +The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and + not (process.args : "-m" and process.args : "-bg") and + not process.args : "-mm" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Application Shimming +** ID: T1546.011 +** Reference URL: https://attack.mitre.org/techniques/T1546/011/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Application Shimming +** ID: T1546.011 +** Reference URL: https://attack.mitre.org/techniques/T1546/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-buffer-overflow-attack-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-buffer-overflow-attack-detected.asciidoc new file mode 100644 index 0000000000..96ff813eac --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-buffer-overflow-attack-detected.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-7-potential-buffer-overflow-attack-detected]] +=== Potential Buffer Overflow Attack Detected + +Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short time interval could indicate application exploitation attempts. + +*Rule type*: threshold + +*Rule indices*: + +* .alerts-security.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Initial Access +* Use Case: Vulnerability +* Rule Type: Higher-Order Rule + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +kibana.alert.rule.rule_id:5c81fc9d-1eae-437f-ba07-268472967013 and event.kind:signal + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-chroot-container-escape-via-mount.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-chroot-container-escape-via-mount.asciidoc new file mode 100644 index 0000000000..27840a3b34 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-chroot-container-escape-via-mount.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-7-potential-chroot-container-escape-via-mount]] +=== Potential Chroot Container Escape via Mount + +Monitors for the execution of a file system mount followed by a chroot execution. Given enough permissions, a user within a container is capable of mounting the root file system of the host, and leveraging chroot to escape its containarized environment. This behavior pattern is very uncommon and should be investigated. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://book.hacktricks.xyz/v/portugues-ht/linux-hardening/privilege-escalation/escaping-from-limited-bash + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Domain: Container +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.entity_id with maxspan=5m + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "mount" and process.args : "/dev/sd*" and process.args_count >= 3 and + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "chroot"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Escape to Host +** ID: T1611 +** Reference URL: https://attack.mitre.org/techniques/T1611/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-container-escape-via-modified-notify-on-release-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-container-escape-via-modified-notify-on-release-file.asciidoc new file mode 100644 index 0000000000..e2e8b309b9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-container-escape-via-modified-notify-on-release-file.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-11-7-potential-container-escape-via-modified-notify-on-release-file]] +=== Potential Container Escape via Modified notify_on_release File + +This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take advantage of this feature, which could be used for further privilege escalation and container escapes to the host machine. + +*Rule type*: eql + +*Rule indices*: + +* logs-cloud_defend* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ +* https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/ + +*Tags*: + +* Data Source: Elastic Defend for Containers +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.module == "cloud_defend" and event.action == "open" and +event.type == "change" and file.name : "notify_on_release" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Escape to Host +** ID: T1611 +** Reference URL: https://attack.mitre.org/techniques/T1611/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-container-escape-via-modified-release-agent-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-container-escape-via-modified-release-agent-file.asciidoc new file mode 100644 index 0000000000..e629c7cf95 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-container-escape-via-modified-release-agent-file.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-11-7-potential-container-escape-via-modified-release-agent-file]] +=== Potential Container Escape via Modified release_agent File + +This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent which could be used for further privilege escalation and container escapes to the host machine. + +*Rule type*: eql + +*Rule indices*: + +* logs-cloud_defend* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.aquasec.com/threat-alert-container-escape +* https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/ +* https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged-escape-abusing-existent-release_agent-cve-2022-0492-poc1 + +*Tags*: + +* Data Source: Elastic Defend for Containers +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.module == "cloud_defend" and event.action == "open" and +event.type == "change" and file.name : "release_agent" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Escape to Host +** ID: T1611 +** Reference URL: https://attack.mitre.org/techniques/T1611/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-curl-cve-2023-38545-exploitation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-curl-cve-2023-38545-exploitation.asciidoc new file mode 100644 index 0000000000..5e3b7cf9bb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-curl-cve-2023-38545-exploitation.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-7-potential-curl-cve-2023-38545-exploitation]] +=== Potential curl CVE-2023-38545 Exploitation + +Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://curl.se/docs/CVE-2023-38545.html +* https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/ +* https://twitter.com/_JohnHammond/status/1711986412554531015 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Use Case: Vulnerability +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "curl" +and ( + process.args : ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or + process.env_vars: ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*") +) and length(process.command_line) > 255 and +not process.parent.name in ("cf-agent", "agent-run", "rudder", "agent-inventory", "cf-execd") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-dns-tunneling-via-nslookup.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-dns-tunneling-via-nslookup.asciidoc new file mode 100644 index 0000000000..e1b4f54564 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-dns-tunneling-via-nslookup.asciidoc @@ -0,0 +1,118 @@ +[[prebuilt-rule-8-11-7-potential-dns-tunneling-via-nslookup]] +=== Potential DNS Tunneling via NsLookup + +This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential DNS Tunneling via NsLookup + +Attackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel. + +DNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling. + +More information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors). + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the DNS query and identify the information sent. +- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts. + +### False positive analysis + +- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Immediately block the identified indicators of compromise (IoCs). +- Implement any temporary network rules, procedures, and segmentation required to contain the attack. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Update firewall rules to be more restrictive. +- Reimage the host operating system or restore the compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5m +[process where host.os.type == "windows" and event.type == "start" and + process.name : "nslookup.exe" and process.args:("-querytype=*", "-qt=*", "-q=*", "-type=*")] with runs = 10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: DNS +** ID: T1071.004 +** Reference URL: https://attack.mitre.org/techniques/T1071/004/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-evasion-via-filter-manager.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-evasion-via-filter-manager.asciidoc new file mode 100644 index 0000000000..25a95e130a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-evasion-via-filter-manager.asciidoc @@ -0,0 +1,140 @@ +[[prebuilt-rule-8-11-7-potential-evasion-via-filter-manager]] +=== Potential Evasion via Filter Manager + +The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Evasion via Filter Manager + +A file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc. + +Attackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections. + +This rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Examine the command line event to identify the target driver. + - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the host for derived artifacts that indicate suspicious activities: + - Observe and collect information about the following activities in the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : "fltMC.exe" and process.args : "unload" and + not + ( + ( + process.executable : "?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\DCFAService64.exe" and + process.args : ("DFMFilter", "DRMFilter") + ) or + ( + process.executable : "?:\\Windows\\SysWOW64\\msiexec.exe" and + process.args : ("BrFilter_*", "BrCow_*") and + user.id : "S-1-5-18" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-evasion-via-windows-filtering-platform.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-evasion-via-windows-filtering-platform.asciidoc new file mode 100644 index 0000000000..e9b85b5e4d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-evasion-via-windows-filtering-platform.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-11-7-potential-evasion-via-windows-filtering-platform]] +=== Potential Evasion via Windows Filtering Platform + +Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* +* logs-system.security-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/dsnezhkov/shutter/tree/main +* https://github.com/netero1010/EDRSilencer/tree/main +* https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/ +* https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157 +* https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by winlog.computer_name with maxspan=1m + [network where host.os.type == "windows" and + event.action : ("windows-firewall-packet-block", "windows-firewall-packet-drop") and + process.name : ( + "bdagent.exe", "bdreinit.exe", "pdscan.exe", "pdiface.exe", "BDSubWiz.exe", "ProductAgentService.exe", + "ProductAgentUI.exe", "WatchDog.exe", "CarbonBlackClientSetup.exe", "TrGUI.exe", "TracCAPI.exe", "cpmsi_tool.exe", + "trac.exe", "vna_install64.exe", "vna_utils.exe", "TracSrvWrapper.exe", "vsmon.exe", "p95tray.exe", + "CybereasonRansomFreeServiceHost.exe", "CrAmTray.exe", "minionhost.exe", "CybereasonSensor.exe", "CylanceUI.exe", + "CylanceProtectSetup.exe", "cylancesvc.exe", "cyupdate.exe", "elastic-agent.exe", "elastic-endpoint.exe", + "egui.exe", "minodlogin.exe", "emu-rep.exe", "emu_install.exe", "emu-cci.exe", "emu-gui.exe", "emu-uninstall.exe", + "ndep.exe", "spike.exe", "ecls.exe", "ecmd.exe", "ecomserver.exe", "eeclnt.exe", "eh64.exe", "EHttpSrv.exe", + "xagt.exe", "collectoragent.exe", "FSAEConfig.exe", "uninstalldcagent.exe", "rmon.exe", "fccomint.exe", + "fclanguageselector.exe", "fortifw.exe", "fcreg.exe", "fortitray.exe", "fcappdb.exe", "fcwizard.exe", "submitv.exe", + "av_task.exe", "fortiwf.exe", "fortiwadbd.exe", "fcauth.exe", "fcdblog.exe", "fcmgr.exe", "fortiwad.exe", + "fortiproxy.exe", "fortiscand.exe", "fortivpnst.exe", "ipsec.exe", "fcwscd7.exe", "fcasc.exe", "fchelper.exe", + "forticlient.exe","fcwsc.exe", "FortiClient.exe", "fmon.exe", "FSSOMA.exe", "FCVbltScan.exe", "FortiESNAC.exe", + "EPCUserAvatar.exe", "FortiAvatar.exe", "FortiClient_Diagnostic_Tool.exe", "FortiSSLVPNdaemon.exe", "avp.exe", + "FCConfig.exe", "avpsus.exe", "klnagent.exe", "klnsacwsrv.exe", "kl_platf.exe", "stpass.exe", "klnagwds.exe", + "mbae.exe", "mbae64.exe", "mbae-svc.exe", "mbae-uninstaller.exe", "mbaeLoader32.exe", "mbaeloader64.exe", + "mbam-dor.exe", "mbamgui.exe", "mbamservice.exe", "mbamtrayctrl.exe", "mbampt.exe", "mbamscheduler.exe", + "Coreinst.exe", "mbae-setup.exe", "mcupdate.exe", "ProtectedModuleHost.exe", "ESConfigTool.exe", "FWInstCheck.exe", + "FwWindowsFirewallHandler.exe", "mfeesp.exe", "mfefw.exe", "mfeProvisionModeUtility.exe", "mfetp.exe", "avpui.exe", + "WscAVExe.exe", "mcshield.exe", "McChHost.exe", "mfewc.exe", "mfewch.exe", "mfewcui.exe", "fwinfo.exe", + "mfecanary.exe", "mfefire.exe", "mfehidin.exe", "mfemms.exe", "mfevtps.exe", "mmsinfo.exe", "vtpinfo.exe", + "MarSetup.exe", "mctray.exe", "masvc.exe", "macmnsvc.exe", "McAPExe.exe", "McPvTray.exe", "mcods.exe", + "mcuicnt.exe", "mcuihost.exe", "xtray.exe", "McpService.exe", "epefprtrainer.exe", "mfeffcoreservice.exe", + "MfeEpeSvc.exe", "qualysagent.exe", "QualysProxy.exe", "QualysAgentUI.exe", "SVRTgui.exe", "SVRTcli.exe", + "SVRTcli.exe", "SVRTgui.exe", "SCTCleanupService.exe", "SVRTservice.exe", "native.exe", "SCTBootTasks.exe", + "ALMon.exe", "SAA.exe", "SUMService.exe", "ssp.exe", "SCFService.exe", "SCFManager.exe", "spa.exe", "cabarc.exe", + "sargui.exe", "sntpservice.exe", "McsClient.exe", "McsAgent.exe", "McsHeartbeat.exe", "SAVAdminService.exe", + "sav32cli.exe", "ForceUpdateAlongSideSGN.exe", "SAVCleanupService.exe", "SavMain.exe", "SavProgress.exe", + "SavProxy.exe", "SavService.exe", "swc_service.exe", "swi_di.exe", "swi_service.exe", "swi_filter.exe", + "ALUpdate.exe", "SophosUpdate.exe", "ALsvc.exe", "SophosAlert.exe", "osCheck.exe", "N360Downloader.exe", + "InstWrap.exe", "symbos.exe", "nss.exe", "symcorpui.exe", "isPwdSvc.exe", "ccsvchst.exe", "ntrmv.exe", + "pccntmon.exe", "AosUImanager.exe", "NTRTScan.exe", "TMAS_OL.exe", "TMAS_OLImp.exe", "TMAS_OLSentry.exe", + "ufnavi.exe", "Clnrbin.exe", "vizorhtmldialog.exe", "pwmConsole.exe", "PwmSvc.exe", "coreServiceShell.exe", + "ds_agent.exe", "SfCtlCom.exe", "MBAMHelper.exe", "cb.exe", "smc.exe", "tda.exe", "xagtnotif.exe", "ekrn.exe", + "dsa.exe", "Notifier.exe", "rphcp.exe", "lc_sensor.exe", "CSFalconService.exe", "CSFalconController.exe", + "SenseSampleUploader.exe", "windefend.exe", "MSASCui.exe", "MSASCuiL.exe", "msmpeng.exe", "msmpsvc.exe", + "MsSense.exe", "esensor.exe", "sentinelone.exe", "tmccsf.exe", "csfalconcontainer.exe", "sensecncproxy.exe", + "splunk.exe", "sysmon.exe", "sysmon64.exe", "taniumclient.exe" + )] with runs=5 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify System Firewall +** ID: T1562.004 +** Reference URL: https://attack.mitre.org/techniques/T1562/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-file-transfer-via-certreq.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-file-transfer-via-certreq.asciidoc new file mode 100644 index 0000000000..7d71ceffe8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-file-transfer-via-certreq.asciidoc @@ -0,0 +1,145 @@ +[[prebuilt-rule-8-11-7-potential-file-transfer-via-certreq]] +=== Potential File Transfer via Certreq + +Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://lolbas-project.github.io/lolbas/Binaries/Certreq/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Command and Control +* Tactic: Exfiltration +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential File Transfer via Certreq + +Certreq is a command-line utility in Windows operating systems that allows users to request and manage certificates from certificate authorities. It is primarily used for generating certificate signing requests (CSRs) and installing certificates. However, adversaries may abuse Certreq's functionality to download files or upload data to a remote URL by making an HTTP POST request. + +This rule identifies the potential abuse of Certreq to download files or upload data to a remote URL. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the details of the dropped file, and whether it was executed. +- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "CertReq.exe" or ?process.pe.original_file_name == "CertReq.exe") and process.args : "-Post" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Web Service +** ID: T1567 +** Reference URL: https://attack.mitre.org/techniques/T1567/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-macos-ssh-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-macos-ssh-brute-force-detected.asciidoc new file mode 100644 index 0000000000..842b8005ff --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-macos-ssh-brute-force-detected.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-11-7-potential-macos-ssh-brute-force-detected]] +=== Potential macOS SSH Brute Force Detected + +Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-network-scan-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-network-scan-detected.asciidoc new file mode 100644 index 0000000000..0936608539 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-network-scan-detected.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-11-7-potential-network-scan-detected]] +=== Potential Network Scan Detected + +This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.network-* +* logs-network_traffic.* +* packetbeat-* +* filebeat-* +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 5 + +*References*: None + +*Tags*: + +* Domain: Network +* Tactic: Discovery +* Tactic: Reconnaissance +* Use Case: Network Security Monitoring + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Scanning IP Blocks +** ID: T1595.001 +** Reference URL: https://attack.mitre.org/techniques/T1595/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-network-sweep-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-network-sweep-detected.asciidoc new file mode 100644 index 0000000000..f6b3a3921f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-network-sweep-detected.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-11-7-potential-network-sweep-detected]] +=== Potential Network Sweep Detected + +This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services. + +*Rule type*: threshold + +*Rule indices*: + +* packetbeat-* +* auditbeat-* +* filebeat-* +* logs-network_traffic.* +* logs-endpoint.events.network-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 5 + +*References*: None + +*Tags*: + +* Domain: Network +* Tactic: Discovery +* Tactic: Reconnaissance +* Use Case: Network Security Monitoring + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and +source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Scanning IP Blocks +** ID: T1595.001 +** Reference URL: https://attack.mitre.org/techniques/T1595/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-pass-the-hash-pth-attempt.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-pass-the-hash-pth-attempt.asciidoc new file mode 100644 index 0000000000..6950d100eb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-pass-the-hash-pth-attempt.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-7-potential-pass-the-hash-pth-attempt]] +=== Potential Pass-the-Hash (PtH) Attempt + +Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1550/002/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:"windows" and +event.category : "authentication" and event.action : "logged-in" and +winlog.logon.type : "NewCredentials" and event.outcome : "success" and +user.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : "seclogo" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Pass the Hash +** ID: T1550.002 +** Reference URL: https://attack.mitre.org/techniques/T1550/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-password-spraying-of-microsoft-365-user-accounts.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-password-spraying-of-microsoft-365-user-accounts.asciidoc new file mode 100644 index 0000000000..adf2d4e637 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-password-spraying-of-microsoft-365-user-accounts.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-7-potential-password-spraying-of-microsoft-365-user-accounts]] +=== Potential Password Spraying of Microsoft 365 User Accounts + +Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Cloud +* Data Source: Microsoft 365 +* Use Case: Identity and Access Audit +* Tactic: Credential Access + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and +event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-persistence-through-init-d-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-persistence-through-init-d-detected.asciidoc new file mode 100644 index 0000000000..c09ae60be0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-persistence-through-init-d-detected.asciidoc @@ -0,0 +1,144 @@ +[[prebuilt-rule-8-11-7-potential-persistence-through-init-d-detected]] +=== Potential Persistence Through init.d Detected + +Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts +* https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Persistence Through init.d Detected + +The `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown. + +Attackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory. + +This rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. +#### Possible Investigation Steps + +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Related Rules + +- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the maliciously created service/init.d files or restore it to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and +file.path : /etc/init.d/* and not ( + (process.name : ("dpkg" or "dockerd" or "rpm" or "dnf" or "chef-client" or "apk" or "yum" or "rpm" or + "vmis-launcher" or "exe" or "platform-python" or "executor" or "podman")) or + (file.extension : ("swp" or "swpx")) or + (process.name:mv and file.name:*.dpkg-remove) or + (process.name:sed and file.name:sed*) or + (process.name:systemd and file.name:*.dpkg-new) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-persistence-through-motd-file-creation-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-persistence-through-motd-file-creation-detected.asciidoc new file mode 100644 index 0000000000..a5fa2d8ecd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-persistence-through-motd-file-creation-detected.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-11-7-potential-persistence-through-motd-file-creation-detected]] +=== Potential Persistence Through MOTD File Creation Detected + +Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Persistence Through MOTD File Creation Detected + +The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux. + +Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges. + +This rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### Related Rules + +- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447 + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the MOTD files or restore their original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and +file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : ( + dpkg or dockerd or rpm or executor or dnf or podman or ln +) and not file.extension : ("swp" or "swpx") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-persistence-through-run-control-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-persistence-through-run-control-detected.asciidoc new file mode 100644 index 0000000000..53b2254f89 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-persistence-through-run-control-detected.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-8-11-7-potential-persistence-through-run-control-detected]] +=== Potential Persistence Through Run Control Detected + +This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts +* https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Persistence Through Run Control Detected + +The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. + +There might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. + +Detection alerts from this rule indicate the creation of a new `/etc/rc.local` file. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`. + - !{osquery{"label":"Osquery - Retrieve rc-local.service File Information","query":"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')"}} + - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file. + - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep "rc-local.service|/etc/rc.local Compatibility"` can be executed to check for the execution of the service. + - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the `service/rc.local` files or restore their original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.category : "file" and +event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and +file.path : "/etc/rc.local" and not process.name : ( + "dockerd" or "docker" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "dpkg" +) and not file.extension : ("swp" or "swpx") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-persistence-via-time-provider-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-persistence-via-time-provider-modification.asciidoc new file mode 100644 index 0000000000..5a1053b5c3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-persistence-via-time-provider-modification.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-8-11-7-potential-persistence-via-time-provider-modification]] +=== Potential Persistence via Time Provider Modification + +Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pentestlab.blog/2019/10/22/persistence-time-providers/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Persistence via Time Provider Modification + +The Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. + +This rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine whether the DLL is signed. +- Retrieve the DLL and determine if it is malicious: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restore Time Provider settings to the desired state. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type:"change" and + registry.path: ( + "HKLM\\SYSTEM\\*ControlSet*\\Services\\W32Time\\TimeProviders\\*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\W32Time\\TimeProviders\\*" + ) and + registry.data.strings:"*.dll" and + not + ( + process.executable : "?:\\Windows\\System32\\msiexec.exe" and + registry.data.strings : "?:\\Program Files\\VMware\\VMware Tools\\vmwTimeProvider\\vmwTimeProvider.dll" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Time Providers +** ID: T1547.003 +** Reference URL: https://attack.mitre.org/techniques/T1547/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Time Providers +** ID: T1547.003 +** Reference URL: https://attack.mitre.org/techniques/T1547/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-powershell-hacktool-script-by-function-names.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-powershell-hacktool-script-by-function-names.asciidoc new file mode 100644 index 0000000000..7d3fc91058 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-powershell-hacktool-script-by-function-names.asciidoc @@ -0,0 +1,323 @@ +[[prebuilt-rule-8-11-7-potential-powershell-hacktool-script-by-function-names]] +=== Potential PowerShell HackTool Script by Function Names + +Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md +* https://github.com/BC-SECURITY/Empire + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: PowerShell Logs + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential PowerShell HackTool Script by Function Names + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Adversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the script using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools. +- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users. + +### Related Rules + +- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88 +- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889 + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. + - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Reimage the host operating system or restore the compromised files to clean versions. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "Add-DomainGroupMember" or "Add-DomainObjectAcl" or + "Add-RemoteConnection" or "Add-ServiceDacl" or + "Add-Win32Type" or "Convert-ADName" or + "Convert-LDAPProperty" or "ConvertFrom-LDAPLogonHours" or + "ConvertFrom-UACValue" or "Copy-ArrayOfMemAddresses" or + "Create-NamedPipe" or "Create-ProcessWithToken" or + "Create-RemoteThread" or "Create-SuspendedWinLogon" or + "Create-WinLogonProcess" or "Emit-CallThreadStub" or + "Enable-SeAssignPrimaryTokenPrivilege" or "Enable-SeDebugPrivilege" or + "Enum-AllTokens" or "Export-PowerViewCSV" or + "Find-AVSignature" or "Find-AppLockerLog" or + "Find-DomainLocalGroupMember" or "Find-DomainObjectPropertyOutlier" or + "Find-DomainProcess" or "Find-DomainShare" or + "Find-DomainUserEvent" or "Find-DomainUserLocation" or + "Find-InterestingDomainAcl" or "Find-InterestingDomainShareFile" or + "Find-InterestingFile" or "Find-LocalAdminAccess" or + "Find-PSScriptsInPSAppLog" or "Find-PathDLLHijack" or + "Find-ProcessDLLHijack" or "Find-RDPClientConnection" or + "Get-AllAttributesForClass" or "Get-CachedGPPPassword" or + "Get-DecryptedCpassword" or "Get-DecryptedSitelistPassword" or + "Get-DelegateType" or + "Get-DomainDFSShare" or "Get-DomainDFSShareV1" or + "Get-DomainDFSShareV2" or "Get-DomainDNSRecord" or + "Get-DomainDNSZone" or "Get-DomainFileServer" or + "Get-DomainForeignGroupMember" or "Get-DomainForeignUser" or + "Get-DomainGPO" or "Get-DomainGPOComputerLocalGroupMapping" or + "Get-DomainGPOLocalGroup" or "Get-DomainGPOUserLocalGroupMapping" or + "Get-DomainGUIDMap" or "Get-DomainGroup" or + "Get-DomainGroupMember" or "Get-DomainGroupMemberDeleted" or + "Get-DomainManagedSecurityGroup" or "Get-DomainOU" or + "Get-DomainObject" or "Get-DomainObjectAcl" or + "Get-DomainObjectAttributeHistory" or "Get-DomainObjectLinkedAttributeHistory" or + "Get-DomainPolicyData" or "Get-DomainSID" or + "Get-DomainSPNTicket" or "Get-DomainSearcher" or + "Get-DomainSite" or "Get-DomainSubnet" or + "Get-DomainTrust" or "Get-DomainTrustMapping" or + "Get-DomainUser" or "Get-DomainUserEvent" or + "Get-Forest" or "Get-ForestDomain" or + "Get-ForestGlobalCatalog" or "Get-ForestSchemaClass" or + "Get-ForestTrust" or "Get-GPODelegation" or + "Get-GPPAutologon" or "Get-GPPInnerField" or + "Get-GPPInnerFields" or "Get-GPPPassword" or + "Get-GptTmpl" or "Get-GroupsXML" or + "Get-HttpStatus" or "Get-ImageNtHeaders" or + "Get-Keystrokes" or + "Get-MemoryProcAddress" or "Get-MicrophoneAudio" or + "Get-ModifiablePath" or "Get-ModifiableRegistryAutoRun" or + "Get-ModifiableScheduledTaskFile" or "Get-ModifiableService" or + "Get-ModifiableServiceFile" or "Get-Name" or + "Get-NetComputerSiteName" or "Get-NetLocalGroup" or + "Get-NetLocalGroupMember" or "Get-NetLoggedon" or + "Get-NetRDPSession" or "Get-NetSession" or + "Get-NetShare" or "Get-PEArchitecture" or + "Get-PEBasicInfo" or "Get-PEDetailedInfo" or + "Get-PathAcl" or "Get-PrimaryToken" or + "Get-ProcAddress" or "Get-ProcessTokenGroup" or + "Get-ProcessTokenPrivilege" or "Get-ProcessTokenType" or + "Get-RegLoggedOn" or "Get-RegistryAlwaysInstallElevated" or + "Get-RegistryAutoLogon" or "Get-RemoteProcAddress" or + "Get-Screenshot" or "Get-ServiceDetail" or + "Get-SiteListPassword" or "Get-SitelistField" or + "Get-System" or "Get-SystemNamedPipe" or + "Get-SystemToken" or "Get-ThreadToken" or + "Get-TimedScreenshot" or "Get-TokenInformation" or + "Get-TopPort" or "Get-UnattendedInstallFile" or + "Get-UniqueTokens" or "Get-UnquotedService" or + "Get-VaultCredential" or "Get-VaultElementValue" or + "Get-VirtualProtectValue" or "Get-VolumeShadowCopy" or + "Get-WMIProcess" or "Get-WMIRegCachedRDPConnection" or + "Get-WMIRegLastLoggedOn" or "Get-WMIRegMountedDrive" or + "Get-WMIRegProxy" or "Get-WebConfig" or + "Get-Win32Constants" or "Get-Win32Functions" or + "Get-Win32Types" or "Import-DllImports" or + "Import-DllInRemoteProcess" or "Inject-LocalShellcode" or + "Inject-RemoteShellcode" or "Install-ServiceBinary" or + "Invoke-CompareAttributesForClass" or "Invoke-CreateRemoteThread" or + "Invoke-CredentialInjection" or "Invoke-DllInjection" or + "Invoke-EventVwrBypass" or "Invoke-ImpersonateUser" or + "Invoke-Kerberoast" or "Invoke-MemoryFreeLibrary" or + "Invoke-MemoryLoadLibrary" or + "Invoke-Mimikatz" or "Invoke-NinjaCopy" or + "Invoke-PatchDll" or "Invoke-Portscan" or + "Invoke-PrivescAudit" or "Invoke-ReflectivePEInjection" or + "Invoke-ReverseDnsLookup" or "Invoke-RevertToSelf" or + "Invoke-ServiceAbuse" or "Invoke-Shellcode" or + "Invoke-TokenManipulation" or "Invoke-UserImpersonation" or + "Invoke-WmiCommand" or "Mount-VolumeShadowCopy" or + "New-ADObjectAccessControlEntry" or "New-DomainGroup" or + "New-DomainUser" or "New-DynamicParameter" or + "New-InMemoryModule" or + "New-ThreadedFunction" or "New-VolumeShadowCopy" or + "Out-CompressedDll" or "Out-EncodedCommand" or + "Out-EncryptedScript" or "Out-Minidump" or + "PortScan-Alive" or "Portscan-Port" or + "Remove-DomainGroupMember" or "Remove-DomainObjectAcl" or + "Remove-RemoteConnection" or "Remove-VolumeShadowCopy" or + "Restore-ServiceBinary" or "Set-DesktopACLToAllowEveryone" or + "Set-DesktopACLs" or "Set-DomainObject" or + "Set-DomainObjectOwner" or "Set-DomainUserPassword" or + "Set-ServiceBinaryPath" or "Sub-SignedIntAsUnsigned" or + "Test-AdminAccess" or "Test-MemoryRangeValid" or + "Test-ServiceDaclPermission" or "Update-ExeFunctions" or + "Update-MemoryAddresses" or "Update-MemoryProtectionFlags" or + "Write-BytesToMemory" or "Write-HijackDll" or + "Write-PortscanOut" or "Write-ServiceBinary" or + "Write-UserAddMSI" or "Invoke-Privesc" or + "func_get_proc_address" or "Invoke-BloodHound" or + "Invoke-HostEnum" or "Get-BrowserInformation" or + "Get-DomainAccountPolicy" or "Get-DomainAdmins" or + "Get-AVProcesses" or "Get-AVInfo" or + "Get-RecycleBin" or "Invoke-BruteForce" or + "Get-PassHints" or "Invoke-SessionGopher" or + "Get-LSASecret" or "Get-PassHashes" or + "Invoke-WdigestDowngrade" or "Get-ChromeDump" or + "Invoke-DomainPasswordSpray" or "Get-FoxDump" or + "New-HoneyHash" or "Invoke-DCSync" or + "Invoke-PowerDump" or "Invoke-SSIDExfil" or + "Invoke-PowerShellTCP" or "Add-Exfiltration" or + "Do-Exfiltration" or "Invoke-DropboxUpload" or + "Invoke-ExfilDataToGitHub" or "Invoke-EgressCheck" or + "Invoke-PostExfil" or "Create-MultipleSessions" or + "Invoke-NetworkRelay" or "New-GPOImmediateTask" or + "Invoke-WMIDebugger" or "Invoke-SQLOSCMD" or + "Invoke-SMBExec" or "Invoke-PSRemoting" or + "Invoke-ExecuteMSBuild" or "Invoke-DCOM" or + "Invoke-InveighRelay" or "Invoke-PsExec" or + "Invoke-SSHCommand" or "Find-ActiveUsersWMI" or + "Get-SystemDrivesWMI" or "Get-ActiveNICSWMI" or + "Remove-Persistence" or "DNS_TXT_Pwnage" or + "Execute-OnTime" or "HTTP-Backdoor" or + "Add-ConstrainedDelegationBackdoor" or "Add-RegBackdoor" or + "Add-ScrnSaveBackdoor" or "Gupt-Backdoor" or + "Invoke-ADSBackdoor" or "Add-Persistence" or + "Invoke-ResolverBackdoor" or "Invoke-EventLogBackdoor" or + "Invoke-DeadUserBackdoor" or "Invoke-DisableMachineAcctChange" or + "Invoke-AccessBinary" or "Add-NetUser" or + "Invoke-Schtasks" or "Invoke-JSRatRegsvr" or + "Invoke-JSRatRundll" or "Invoke-PoshRatHttps" or + "Invoke-PsGcatAgent" or "Remove-PoshRat" or + "Install-SSP" or "Invoke-BackdoorLNK" or + "PowerBreach" or "InstallEXE-Persistence" or + "RemoveEXE-Persistence" or "Install-ServiceLevel-Persistence" or + "Remove-ServiceLevel-Persistence" or "Invoke-Prompt" or + "Invoke-PacketCapture" or "Start-WebcamRecorder" or + "Get-USBKeyStrokes" or "Invoke-KeeThief" or + "Get-Keystrokes" or "Invoke-NetRipper" or + "Get-EmailItems" or "Invoke-MailSearch" or + "Invoke-SearchGAL" or "Get-WebCredentials" or + "Start-CaptureServer" or "Invoke-PowerShellIcmp" or + "Invoke-PowerShellTcpOneLine" or "Invoke-PowerShellTcpOneLineBind" or + "Invoke-PowerShellUdp" or "Invoke-PowerShellUdpOneLine" or + "Run-EXEonRemote" or "Download-Execute-PS" or + "Out-RundllCommand" or "Set-RemoteWMI" or + "Set-DCShadowPermissions" or "Invoke-PowerShellWMI" or + "Invoke-Vnc" or "Invoke-LockWorkStation" or + "Invoke-EternalBlue" or "Invoke-ShellcodeMSIL" or + "Invoke-MetasploitPayload" or "Invoke-DowngradeAccount" or + "Invoke-RunAs" or "ExetoText" or + "Disable-SecuritySettings" or "Set-MacAttribute" or + "Invoke-MS16032" or "Invoke-BypassUACTokenManipulation" or + "Invoke-SDCLTBypass" or "Invoke-FodHelperBypass" or + "Invoke-EventVwrBypass" or "Invoke-EnvBypass" or + "Get-ServiceUnquoted" or "Get-ServiceFilePermission" or + "Get-ServicePermission" or + "Enable-DuplicateToken" or "Invoke-PsUaCme" or + "Invoke-Tater" or "Invoke-WScriptBypassUAC" or + "Invoke-AllChecks" or "Find-TrustedDocuments" or + "Invoke-Interceptor" or "Invoke-PoshRatHttp" or + "Invoke-ExecCommandWMI" or "Invoke-KillProcessWMI" or + "Invoke-CreateShareandExecute" or "Invoke-RemoteScriptWithOutput" or + "Invoke-SchedJobManipulation" or "Invoke-ServiceManipulation" or + "Invoke-PowerOptionsWMI" or "Invoke-DirectoryListing" or + "Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or + "Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or + "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" + ) and + not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" + ) and + not file.path : ( + ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\DataCollection\\\\* + ) and + not user.id : ("S-1-5-18" or "S-1-5-19") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-privilege-escalation-via-enlightenment.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-privilege-escalation-via-enlightenment.asciidoc new file mode 100644 index 0000000000..93e6e763ac --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-privilege-escalation-via-enlightenment.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-11-7-potential-privilege-escalation-via-enlightenment]] +=== Potential Privilege Escalation via Enlightenment + +Identifies an attempt to exploit a local privilege escalation CVE-2022-37706 via a flaw in Linux window manager package Enlightenment. enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://ubuntu.com/security/CVE-2022-37706 +* https://www.exploit-db.com/exploits/51180 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.entity_id with maxspan=5s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "enlightenment_sys" and process.args in ("/bin/mount/", "-o","noexec","nosuid","nodev","uid=*") ] + [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and user.id == "0"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-privilege-escalation-via-linux-dac-permissions.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-privilege-escalation-via-linux-dac-permissions.asciidoc new file mode 100644 index 0000000000..e2a71a108f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-privilege-escalation-via-linux-dac-permissions.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-11-7-potential-privilege-escalation-via-linux-dac-permissions]] +=== Potential Privilege Escalation via Linux DAC permissions + +Identifies potential privilege escalation exploitation of DAC (Discretionary access control) file permissions. The rule identifies exploitation of DAC checks on sensitive file paths via suspicious processes whose capabilities include CAP_DAC_OVERRIDE (where a process can bypass all read write and execution checks) or CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable permission on the directories). + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +(process.thread.capabilities.permitted: "CAP_DAC_*" or process.thread.capabilities.effective: "CAP_DAC_*") and +process.command_line : ("*sudoers*", "*passwd*", "*shadow*", "*/root/*") and user.id != "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-reverse-shell-via-java.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-reverse-shell-via-java.asciidoc new file mode 100644 index 0000000000..e53088f1e8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-reverse-shell-via-java.asciidoc @@ -0,0 +1,90 @@ +[[prebuilt-rule-8-11-7-potential-reverse-shell-via-java]] +=== Potential Reverse Shell via Java + +This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and + process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + not (destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( + destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", + "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", + "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", + "FF00::/8" + ) + )] by process.entity_id + [process where host.os.type == "linux" and event.action == "exec" and + process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + process.parent.args : "-jar" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") + and not process.parent.args in ( + "/usr/share/java/jenkins.war", "/etc/remote-iot/services/remoteiot.jar", + "/usr/lib64/NetExtender.jar", "/usr/lib/jenkins/jenkins.war" + )] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-reverse-shell-via-suspicious-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-reverse-shell-via-suspicious-child-process.asciidoc new file mode 100644 index 0000000000..16151645ee --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-reverse-shell-via-suspicious-child-process.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-8-11-7-potential-reverse-shell-via-suspicious-child-process]] +=== Potential Reverse Shell via Suspicious Child Process + +This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and ( + (process.name : "python*" and process.args : "-c" and process.args : ( + "*import*pty*spawn*", "*import*subprocess*call*" + )) or + (process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( + "*exec*", "*system*" + )) or + (process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( + "*TCPSocket.new*", "*TCPSocket.open*" + )) or + (process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( + "*io.popen*", "*os.execute*" + )) or + (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or + (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args == "-e" and process.args_count >= 3 and + not process.args == "-z") or + (process.name : "telnet" and process.args_count >= 3) + ) and process.parent.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", + "openssl", "nc", "netcat", "ncat", "telnet", "awk")] + [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and + destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-syn-based-network-scan-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-syn-based-network-scan-detected.asciidoc new file mode 100644 index 0000000000..b2c84a3875 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-potential-syn-based-network-scan-detected.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-11-7-potential-syn-based-network-scan-detected]] +=== Potential SYN-Based Network Scan Detected + +This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.network-* +* logs-network_traffic.* +* packetbeat-* +* auditbeat-* +* filebeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 5 + +*References*: None + +*Tags*: + +* Domain: Network +* Tactic: Discovery +* Tactic: Reconnaissance +* Use Case: Network Security Monitoring + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Scanning IP Blocks +** ID: T1595.001 +** Reference URL: https://attack.mitre.org/techniques/T1595/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-powershell-suspicious-discovery-related-windows-api-functions.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-powershell-suspicious-discovery-related-windows-api-functions.asciidoc new file mode 100644 index 0000000000..d1449acfd8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-powershell-suspicious-discovery-related-windows-api-functions.asciidoc @@ -0,0 +1,179 @@ +[[prebuilt-rule-8-11-7-powershell-suspicious-discovery-related-windows-api-functions]] +=== PowerShell Suspicious Discovery Related Windows API Functions + +This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413 +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Tactic: Collection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Suspicious Discovery Related Windows API Functions + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Check for additional PowerShell and command-line logs that indicate that imported functions were run. + +### False positive analysis + +- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + NetShareEnum or + NetWkstaUserEnum or + NetSessionEnum or + NetLocalGroupEnum or + NetLocalGroupGetMembers or + DsGetSiteName or + DsEnumerateDomainTrusts or + WTSEnumerateSessionsEx or + WTSQuerySessionInformation or + LsaGetLogonSessionData or + QueryServiceObjectSecurity or + GetComputerNameEx or + NetWkstaGetInfo or + GetUserNameEx or + NetUserEnum or + NetUserGetInfo or + NetGroupEnum or + NetGroupGetInfo or + NetGroupGetUsers or + NetWkstaTransportEnum or + NetServerGetInfo or + LsaEnumerateTrustedDomains or + NetScheduleJobEnum or + NetUserModalsGet + ) + and not file.path : ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\DataCollection\\\\* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Local Account +** ID: T1087.001 +** Reference URL: https://attack.mitre.org/techniques/T1087/001/ +* Technique: +** Name: Domain Trust Discovery +** ID: T1482 +** Reference URL: https://attack.mitre.org/techniques/T1482/ +* Technique: +** Name: Network Share Discovery +** ID: T1135 +** Reference URL: https://attack.mitre.org/techniques/T1135/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Network Shared Drive +** ID: T1039 +** Reference URL: https://attack.mitre.org/techniques/T1039/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privilege-escalation-via-cap-chown-cap-fowner-capabilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privilege-escalation-via-cap-chown-cap-fowner-capabilities.asciidoc new file mode 100644 index 0000000000..c6e9cd4ee1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privilege-escalation-via-cap-chown-cap-fowner-capabilities.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-11-7-privilege-escalation-via-cap-chown-cap-fowner-capabilities]] +=== Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities + +Identifies instances where a processes (granted CAP_CHOWN and/or CAP_FOWNER capabilities) is executed, after which the ownership of a suspicious file or binary is changed. In Linux, the CAP_CHOWN capability allows a process to change the owner of a file, while CAP_FOWNER permits it to bypass permission checks on operations that require file ownership (like reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.pid with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name != null and process.thread.capabilities.effective : ("CAP_CHOWN", "CAP_FOWNER") and + process.command_line : ("*sudoers*", "*passwd*", "*shadow*", "*/root/*") and user.id != "0"] + [file where event.dataset == "auditd_manager.auditd" and host.os.type == "linux" and + event.action == "changed-file-ownership-of" and event.type == "change" and event.outcome == "success" and + file.path in ( + "/etc/passwd", + "/etc/shadow", + "/etc/sudoers", + "/root/.ssh/*" + ) and user.id != "0"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privilege-escalation-via-cap-setuid-setgid-capabilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privilege-escalation-via-cap-setuid-setgid-capabilities.asciidoc new file mode 100644 index 0000000000..c513c1b34a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privilege-escalation-via-cap-setuid-setgid-capabilities.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-11-7-privilege-escalation-via-cap-setuid-setgid-capabilities]] +=== Privilege Escalation via CAP_SETUID/SETGID Capabilities + +Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SETUID and CAP_SETGID capabilities allow a process to change its UID and GID, respectively, providing control over user and group identity management. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name != null and + (process.thread.capabilities.effective : "CAP_SET?ID" or process.thread.capabilities.permitted : "CAP_SET?ID") and + user.id != "0"] + [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and + (process.thread.capabilities.effective : "CAP_SET?ID" or process.thread.capabilities.permitted : "CAP_SET?ID") + and user.id == "0"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Setuid and Setgid +** ID: T1548.001 +** Reference URL: https://attack.mitre.org/techniques/T1548/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privilege-escalation-via-gdb-cap-sys-ptrace.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privilege-escalation-via-gdb-cap-sys-ptrace.asciidoc new file mode 100644 index 0000000000..546f7421b0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privilege-escalation-via-gdb-cap-sys-ptrace.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-11-7-privilege-escalation-via-gdb-cap-sys-ptrace]] +=== Privilege Escalation via GDB CAP_SYS_PTRACE + +Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to use the ptrace system call, which is typically used for debugging and allows the process to trace and control other processes. Attackers may leverage this capability to hook and inject into a process that is running with root permissions in order to escalate their privileges to root. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entry_leader.entity_id with maxspan=1m + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "gdb" and + (process.thread.capabilities.effective : "CAP_SYS_PTRACE" or process.thread.capabilities.permitted : "CAP_SYS_PTRACE") and + user.id != "0"] + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name != null and user.id == "0"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Ptrace System Calls +** ID: T1055.008 +** Reference URL: https://attack.mitre.org/techniques/T1055/008/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privilege-escalation-via-named-pipe-impersonation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privilege-escalation-via-named-pipe-impersonation.asciidoc new file mode 100644 index 0000000000..53c54ea1fe --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privilege-escalation-via-named-pipe-impersonation.asciidoc @@ -0,0 +1,129 @@ +[[prebuilt-rule-8-11-7-privilege-escalation-via-named-pipe-impersonation]] +=== Privilege Escalation via Named Pipe Impersonation + +Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation +* https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/ +* https://redcanary.com/blog/getsystem-offsec/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Privilege Escalation via Named Pipe Impersonation + +A named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point. + +Attackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : ("Cmd.Exe", "PowerShell.EXE") or ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE")) and + process.args : "echo" and process.args : ">" and process.args : "\\\\.\\pipe\\*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privileges-elevation-via-parent-process-pid-spoofing.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privileges-elevation-via-parent-process-pid-spoofing.asciidoc new file mode 100644 index 0000000000..ae62ad7aed --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-privileges-elevation-via-parent-process-pid-spoofing.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-8-11-7-privileges-elevation-via-parent-process-pid-spoofing]] +=== Privileges Elevation via Parent Process PID Spoofing + +Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6 +* https://blog.didierstevens.com/2017/03/20/ +* https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute +* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +/* This rule is compatible with Elastic Endpoint only */ + +process where host.os.type == "windows" and event.action == "start" and + + /* process creation via seclogon */ + process.parent.Ext.real.pid > 0 and + + /* PrivEsc to SYSTEM */ + user.id : "S-1-5-18" and + + /* Common FPs - evasion via hollowing is possible, should be covered by code injection */ + not process.executable : ("?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Windows\\System32\\WerFaultSecure.exe", + "?:\\Windows\\SysWOW64\\WerFaultSecure.exe", + "?:\\Windows\\System32\\Wermgr.exe", + "?:\\Windows\\SysWOW64\\Wermgr.exe", + "?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe") and + /* Logon Utilities */ + not (process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and + process.executable : ("?:\\Windows\\System32\\osk.exe", + "?:\\Windows\\System32\\Narrator.exe", + "?:\\Windows\\System32\\Magnify.exe")) and + + not process.parent.executable : "?:\\Windows\\System32\\AtBroker.exe" and + + not (process.code_signature.subject_name in + ("philandro Software GmbH", "Freedom Scientific Inc.", "TeamViewer Germany GmbH", "Projector.is, Inc.", + "TeamViewer GmbH", "Cisco WebEx LLC", "Dell Inc") and process.code_signature.trusted == true) and + + /* AM_Delta_Patch Windows Update */ + not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and + process.parent.executable : ("?:\\Windows\\System32\\wuauclt.exe", + "?:\\Windows\\SysWOW64\\wuauclt.exe", + "?:\\Windows\\UUS\\Packages\\Preview\\*\\wuaucltcore.exe", + "?:\\Windows\\UUS\\amd64\\wuauclt.exe", + "?:\\Windows\\UUS\\amd64\\wuaucltcore.exe", + "?:\\ProgramData\\Microsoft\\Windows\\UUS\\*\\wuaucltcore.exe")) and + not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and process.parent.executable == null) and + + /* Other third party SW */ + not process.parent.executable : + ("?:\\Program Files (x86)\\HEAT Software\\HEAT Remote\\HEATRemoteServer.exe", + "?:\\Program Files (x86)\\VisualCron\\VisualCronService.exe", + "?:\\Program Files\\BinaryDefense\\Vision\\Agent\\bds-vision-agent-app.exe", + "?:\\Program Files\\Tablet\\Wacom\\WacomHost.exe", + "?:\\Program Files (x86)\\LogMeIn\\x64\\LogMeIn.exe", + "?:\\Program Files (x86)\\EMC Captiva\\Captiva Cloud Runtime\\Emc.Captiva.WebCaptureRunner.exe", + "?:\\Program Files\\Freedom Scientific\\*.exe", + "?:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*\\remoting_host.exe", + "?:\\Program Files (x86)\\GoToAssist Remote Support Customer\\*\\g2ax_comm_customer.exe") and + not ( + process.code_signature.trusted == true and process.code_signature.subject_name == "Netwrix Corporation" and + process.name : "adcrcpy.exe" and process.parent.executable : ( + "?:\\Program Files (x86)\\Netwrix Auditor\\Active Directory Auditing\\Netwrix.ADA.EventCollector.exe", + "?:\\Program Files (x86)\\Netwrix Auditor\\Active Directory Auditing\\Netwrix.ADA.Analyzer.exe", + "?:\\Netwrix Auditor\\Active Directory Auditing\\Netwrix.ADA.EventCollector.exe" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ +* Sub-technique: +** Name: Create Process with Token +** ID: T1134.002 +** Reference URL: https://attack.mitre.org/techniques/T1134/002/ +* Sub-technique: +** Name: Parent PID Spoofing +** ID: T1134.004 +** Reference URL: https://attack.mitre.org/techniques/T1134/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-process-capability-enumeration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-process-capability-enumeration.asciidoc new file mode 100644 index 0000000000..577e574205 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-process-capability-enumeration.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-11-7-process-capability-enumeration]] +=== Process Capability Enumeration + +Identifies recursive process capability enumeration of the entire filesystem through the getcap command. Malicious users may manipulate identified capabilities to gain root privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "getcap" and process.args == "-r" and process.args == "/" and process.args_count == 3 and +user.id != "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Process Discovery +** ID: T1057 +** Reference URL: https://attack.mitre.org/techniques/T1057/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-process-injection-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-process-injection-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..ecdd5954b1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-process-injection-detected-elastic-endgame.asciidoc @@ -0,0 +1,57 @@ +[[prebuilt-rule-8-11-7-process-injection-detected-elastic-endgame]] +=== Process Injection - Detected - Elastic Endgame + +Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-process-injection-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-process-injection-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..a329ed5ae0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-process-injection-prevented-elastic-endgame.asciidoc @@ -0,0 +1,57 @@ +[[prebuilt-rule-8-11-7-process-injection-prevented-elastic-endgame]] +=== Process Injection - Prevented - Elastic Endgame + +Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-ransomware-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-ransomware-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..df335d0222 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-ransomware-detected-elastic-endgame.asciidoc @@ -0,0 +1,44 @@ +[[prebuilt-rule-8-11-7-ransomware-detected-elastic-endgame]] +=== Ransomware - Detected - Elastic Endgame + +Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-ransomware-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-ransomware-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..5016616266 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-ransomware-prevented-elastic-endgame.asciidoc @@ -0,0 +1,44 @@ +[[prebuilt-rule-8-11-7-ransomware-prevented-elastic-endgame]] +=== Ransomware - Prevented - Elastic Endgame + +Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-registry-persistence-via-appinit-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-registry-persistence-via-appinit-dll.asciidoc new file mode 100644 index 0000000000..3d43f76fc1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-registry-persistence-via-appinit-dll.asciidoc @@ -0,0 +1,154 @@ +[[prebuilt-rule-8-11-7-registry-persistence-via-appinit-dll]] +=== Registry Persistence via AppInit DLL + +AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Registry Persistence via AppInit DLL + +AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. + +Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine. + +This rule identifies modifications on the AppInit registry keys. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Review the source process and related DLL file tied to the Windows Registry entry. + - Check whether the DLL is signed, and tied to a authorized program used on your environment. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve all DLLs under the AppInit registry keys: + - !{osquery{"label":"Osquery - Retrieve AppInit Registry Value","query":"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows' or\nr.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows') and r.name ==\n'AppInit_DLLs'\n"}} +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable and the DLLs using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", + "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" + ) and + not process.executable : ( + "?:\\Windows\\System32\\DriverStore\\FileRepository\\*\\Display.NvContainer\\NVDisplay.Container.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\SysWOW64\\msiexec.exe", + "?:\\Program Files\\Commvault\\Base\\cvd.exe", + "?:\\Program Files\\Commvault\\ContentStore*\\Base\\cvd.exe", + "?:\\Program Files (x86)\\Commvault\\Base\\cvd.exe", + "?:\\Program Files (x86)\\Commvault\\ContentStore*\\Base\\cvd.exe", + "?:\\Program Files\\NVIDIA Corporation\\Display.NvContainer\\NVDisplay.Container.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: AppInit DLLs +** ID: T1546.010 +** Reference URL: https://attack.mitre.org/techniques/T1546/010/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc new file mode 100644 index 0000000000..fb32889eed --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-11-7-remote-desktop-enabled-in-windows-firewall-by-netsh]] +=== Remote Desktop Enabled in Windows Firewall by Netsh + +Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote Desktop Enabled in Windows Firewall by Netsh + +Microsoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389. + +Attackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts. + +This rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the user to check if they are aware of the operation. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether it makes sense to enable RDP to this host, given its role in the environment. +- Check if the host is directly exposed to the internet. +- Check whether privileged accounts accessed the host shortly after the modification. +- Review network events within a short timespan of this alert for incoming RDP connection attempts. + +### False positive analysis + +- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If RDP is needed, make sure to secure it: + - Allowlist RDP traffic to specific trusted hosts. + - Restrict RDP logins to authorized non-administrator accounts, where possible. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "netsh.exe" or ?process.pe.original_file_name == "netsh.exe") and + process.args : ("localport=3389", "RemoteDesktop", "group=\"remote desktop\"") and + process.args : ("action=allow", "enable=Yes", "enable") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify System Firewall +** ID: T1562.004 +** Reference URL: https://attack.mitre.org/techniques/T1562/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-execution-via-file-shares.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-execution-via-file-shares.asciidoc new file mode 100644 index 0000000000..fb7d994385 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-execution-via-file-shares.asciidoc @@ -0,0 +1,140 @@ +[[prebuilt-rule-8-11-7-remote-execution-via-file-shares]] +=== Remote Execution via File Shares + +Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote Execution via File Shares + +Adversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges needed to write to the network share and restrict write access as needed. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [file where host.os.type == "windows" and event.type in ("creation", "change") and + process.pid == 4 and (file.extension : "exe" or file.Ext.header_bytes : "4d5a*")] by host.id, file.path + [process where host.os.type == "windows" and event.type == "start" and + not ( + /* Veeam related processes */ + ( + process.name : ( + "VeeamGuestHelper.exe", "VeeamGuestIndexer.exe", "VeeamAgent.exe", "VeeamLogShipper.exe", "Veeam.VSS.Sharepoint2010.exe" + ) and process.code_signature.trusted == true and process.code_signature.subject_name : "Veeam Software Group GmbH" + ) or + /* PDQ related processes */ + ( + process.name : ( + "PDQInventoryScanner.exe", "PDQInventoryMonitor.exe", "PDQInventory-Scanner-?.exe", "PDQInventoryWakeCommand-?.exe" + ) and process.code_signature.trusted == true and process.code_signature.subject_name : "PDQ.com Corporation" + ) + ) + ] by host.id, process.executable + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-file-copy-to-a-hidden-share.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-file-copy-to-a-hidden-share.asciidoc new file mode 100644 index 0000000000..24acb630ad --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-file-copy-to-a-hidden-share.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-11-7-remote-file-copy-to-a-hidden-share]] +=== Remote File Copy to a Hidden Share + +Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + ( + process.name : ("cmd.exe", "powershell.exe", "xcopy.exe") and + process.args : ("copy*", "move*", "cp", "mv") or + process.name : "robocopy.exe" + ) and process.args : "*\\\\*\\*$*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-file-download-via-desktopimgdownldr-utility.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-file-download-via-desktopimgdownldr-utility.asciidoc new file mode 100644 index 0000000000..07b29fd664 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-file-download-via-desktopimgdownldr-utility.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-8-11-7-remote-file-download-via-desktopimgdownldr-utility]] +=== Remote File Download via Desktopimgdownldr Utility + +Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote File Download via Desktopimgdownldr Utility + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files. + +The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses the {security-guide}/security/master/interactive-investigation-guides.html[Investigate Markdown Plugin] introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - !{investigate{"label":"Alerts associated with the user in the last 48h","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} + - !{investigate{"label":"Alerts associated with the host in the last 48h","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.name","queryType":"phrase","value":"{{host.name}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - !{investigate{"label":"Investigate the Subject Process Network Events","providers":[[{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"network","valueType":"string"}]]}} + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary. +- Analysts can dismiss the alert if the downloaded file is a legitimate image. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "desktopimgdownldr.exe" or ?process.pe.original_file_name == "desktopimgdownldr.exe") and + process.args : "/lockscreenurl:http*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-file-download-via-mpcmdrun.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-file-download-via-mpcmdrun.asciidoc new file mode 100644 index 0000000000..812d975b45 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remote-file-download-via-mpcmdrun.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-11-7-remote-file-download-via-mpcmdrun]] +=== Remote File Download via MpCmdRun + +Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/mohammadaskar2/status/1301263551638761477 +* https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote File Download via MpCmdRun + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files. + +The `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses the {security-guide}/security/master/interactive-investigation-guides.html[Investigate Markdown Plugin] introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - !{investigate{"label":"Alerts associated with the user in the last 48h","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} + - !{investigate{"label":"Alerts associated with the host in the last 48h","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.name","queryType":"phrase","value":"{{host.name}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} +- Check the reputation of the domain or IP address used to host the downloaded file. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - !{investigate{"label":"Investigate the Subject Process Network Events","providers":[[{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"network","valueType":"string"}]]}} + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "MpCmdRun.exe" or ?process.pe.original_file_name == "MpCmdRun.exe") and + process.args : "-DownloadFile" and process.args : "-url" and process.args : "-path" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remotely-started-services-via-rpc.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remotely-started-services-via-rpc.asciidoc new file mode 100644 index 0000000000..36792e4b38 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-remotely-started-services-via-rpc.asciidoc @@ -0,0 +1,161 @@ +[[prebuilt-rule-8-11-7-remotely-started-services-via-rpc]] +=== Remotely Started Services via RPC + +Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators." + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remotely Started Services via RPC + +The Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated. + +This rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system. +- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1s + [network where host.os.type == "windows" and process.name : "services.exe" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and + source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" + ] by host.id, process.entity_id + [process where host.os.type == "windows" and + event.type == "start" and process.parent.name : "services.exe" and + not (process.executable : "?:\\Windows\\System32\\msiexec.exe" and process.args : "/V") and + not process.executable : ( + "?:\\Pella Corporation\\OSCToGPAutoService\\OSCToGPAutoSvc.exe", + "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe", + "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Program Files\\*.exe", + "?:\\Windows\\ADCR_Agent\\adcrsvc.exe", + "?:\\Windows\\AdminArsenal\\PDQ*.exe", + "?:\\Windows\\CAInvokerService.exe", + "?:\\Windows\\ccmsetup\\ccmsetup.exe", + "?:\\Windows\\eset-remote-install-service.exe", + "?:\\Windows\\ProPatches\\Scheduler\\STSchedEx.exe", + "?:\\Windows\\PSEXESVC.EXE", + "?:\\Windows\\RemoteAuditService.exe", + "?:\\Windows\\servicing\\TrustedInstaller.exe", + "?:\\Windows\\System32\\certsrv.exe", + "?:\\Windows\\System32\\sppsvc.exe", + "?:\\Windows\\System32\\srmhost.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\taskhostex.exe", + "?:\\Windows\\System32\\upfc.exe", + "?:\\Windows\\System32\\vds.exe", + "?:\\Windows\\System32\\VSSVC.exe", + "?:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "?:\\Windows\\SysWOW64\\NwxExeSvc\\NwxExeSvc.exe", + "?:\\Windows\\Veeam\\Backup\\VeeamDeploymentSvc.exe", + "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe", + "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe" + )] by host.id, process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-root-network-connection-via-gdb-cap-sys-ptrace.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-root-network-connection-via-gdb-cap-sys-ptrace.asciidoc new file mode 100644 index 0000000000..1246c71949 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-root-network-connection-via-gdb-cap-sys-ptrace.asciidoc @@ -0,0 +1,94 @@ +[[prebuilt-rule-8-11-7-root-network-connection-via-gdb-cap-sys-ptrace]] +=== Root Network Connection via GDB CAP_SYS_PTRACE + +Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which an outbound network connection is initiated by UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to use the ptrace system call, which is typically used for debugging and allows the process to trace and control other processes. Attackers may leverage this capability to hook and inject into a process that is running with root permissions in order to execute shell code and gain a reverse shell with root privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Execution +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entry_leader.entity_id with maxspan=30s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "gdb" and + (process.thread.capabilities.effective : "CAP_SYS_PTRACE" or process.thread.capabilities.permitted : "CAP_SYS_PTRACE") and + user.id != "0"] + [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and + process.name != null and user.id == "0"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Ptrace System Calls +** ID: T1055.008 +** Reference URL: https://attack.mitre.org/techniques/T1055/008/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-security-software-discovery-via-grep.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-security-software-discovery-via-grep.asciidoc new file mode 100644 index 0000000000..eaeb02e95d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-security-software-discovery-via-grep.asciidoc @@ -0,0 +1,152 @@ +[[prebuilt-rule-8-11-7-security-software-discovery-via-grep]] +=== Security Software Discovery via Grep + +Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Security Software Discovery via Grep + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. + +This rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and +process.name : "grep" and user.id != "0" and + not process.parent.executable : ("/Library/Application Support/*", "/opt/McAfee/agent/scripts/ma") and + process.args : + ("Little Snitch*", + "Avast*", + "Avira*", + "ESET*", + "BlockBlock*", + "360Sec*", + "LuLu*", + "KnockKnock*", + "kav", + "KIS", + "RTProtectionDaemon*", + "Malware*", + "VShieldScanner*", + "WebProtection*", + "webinspectord*", + "McAfee*", + "isecespd*", + "macmnsvc*", + "masvc*", + "kesl*", + "avscan*", + "guard*", + "rtvscand*", + "symcfgd*", + "scmdaemon*", + "symantec*", + "sophos*", + "osquery*", + "elastic-endpoint*" + ) and + not ( + (process.args : "Avast" and process.args : "Passwords") or + (process.parent.args : "/opt/McAfee/agent/scripts/ma" and process.parent.args : "checkhealth") or + (process.command_line : ( + "grep ESET Command-line scanner, version %s -A2", + "grep -i McAfee Web Gateway Core version:", + "grep --color=auto ESET Command-line scanner, version %s -A2" + ) + ) or + (process.parent.command_line : ( + """sh -c printf "command_start_%s"*; perl -pe 's/[^ -~]/\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf "command_done_%s*""", + """bash -c perl -pe 's/[^ -~]/\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1""" + ) + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Software Discovery +** ID: T1518 +** Reference URL: https://attack.mitre.org/techniques/T1518/ +* Sub-technique: +** Name: Security Software Discovery +** ID: T1518.001 +** Reference URL: https://attack.mitre.org/techniques/T1518/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-sedebugprivilege-enabled-by-a-suspicious-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-sedebugprivilege-enabled-by-a-suspicious-process.asciidoc new file mode 100644 index 0000000000..8c88dbdd7e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-sedebugprivilege-enabled-by-a-suspicious-process.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-11-7-sedebugprivilege-enabled-by-a-suspicious-process]] +=== SeDebugPrivilege Enabled by a Suspicious Process + +Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703 +* https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and + event.action : "Token Right Adjusted Events" and + + winlog.event_data.EnabledPrivilegeList : "SeDebugPrivilege" and + + /* exclude processes with System Integrity */ + not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and + + not winlog.event_data.ProcessName : + ("?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\SysWOW64\\msiexec.exe", + "?:\\Windows\\System32\\lsass.exe", + "?:\\Windows\\WinSxS\\*", + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\System32\\MRT.exe", + "?:\\Windows\\System32\\cleanmgr.exe", + "?:\\Windows\\System32\\taskhostw.exe", + "?:\\Windows\\System32\\mmc.exe", + "?:\\Users\\*\\AppData\\Local\\Temp\\*-*\\DismHost.exe", + "?:\\Windows\\System32\\auditpol.exe", + "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe", + "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-setcap-setuid-setgid-capability-set.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-setcap-setuid-setgid-capability-set.asciidoc new file mode 100644 index 0000000000..1bbb561b98 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-setcap-setuid-setgid-capability-set.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-8-11-7-setcap-setuid-setgid-capability-set]] +=== Setcap setuid/setgid Capability Set + +This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Setcap setuid/setgid Capability Set + +Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. + +Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions. + +This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the file that was targeted by the addition of the setuid/setgid capability through OSQuery. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "setcap" and process.args : "cap_set?id+ep" and not process.parent.name : "jem" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Setuid and Setgid +** ID: T1548.001 +** Reference URL: https://attack.mitre.org/techniques/T1548/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-shared-object-created-or-changed-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-shared-object-created-or-changed-by-previously-unknown-process.asciidoc new file mode 100644 index 0000000000..fe9be2e71d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-shared-object-created-or-changed-by-previously-unknown-process.asciidoc @@ -0,0 +1,139 @@ +[[prebuilt-rule-8-11-7-shared-object-created-or-changed-by-previously-unknown-process]] +=== Shared Object Created or Changed by Previously Unknown Process + +This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://threatpost.com/sneaky-malware-backdoors-linux/180158/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Shared Object Created or Changed by Previously Unknown Process + +A shared object file is a compiled library file (typically with a .so extension) that can be dynamically linked to executable programs at runtime, allowing for code reuse and efficient memory usage. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. + +Malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data. + +This rule monitors the creation of shared object files by previously unknown processes through the usage of the new terms rule type. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the shared object that was created or modified through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE path = {{file.path}}\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE path = {{file.path}}\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and +file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and +process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher" + or "pacman" or "apt-get" or "dnf" or "podman" or "platform-python")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-signed-proxy-execution-via-ms-work-folders.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-signed-proxy-execution-via-ms-work-folders.asciidoc new file mode 100644 index 0000000000..a53c1383c4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-signed-proxy-execution-via-ms-work-folders.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-8-11-7-signed-proxy-execution-via-ms-work-folders]] +=== Signed Proxy Execution via MS Work Folders + +Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview +* https://twitter.com/ElliotKillick/status/1449812843772227588 +* https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame + +*Version*: 107 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Signed Proxy Execution via MS Work Folders + +Work Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share. + +Using Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default. +- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host. +- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic. +- Determine if control.exe was synced to sync share, indicating potential lateral movement. +- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to +disk from a separate binary. + +### False positive analysis + +- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it. +- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation. +- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders. +- Confirm with the user whether this was expected or not, and reset their password. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" + and process.name : "control.exe" and process.parent.name : "WorkFolders.exe" + and not process.executable : ("?:\\Windows\\System32\\control.exe", "?:\\Windows\\SysWOW64\\control.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc new file mode 100644 index 0000000000..40a2ae44a4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-8-11-7-statistical-model-detected-c2-beaconing-activity-with-high-confidence]] +=== Statistical Model Detected C2 Beaconing Activity with High Confidence + +A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. + +*Rule type*: query + +*Rule indices*: + +* ml_beaconing.all + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-1h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/beaconing +* https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic + +*Tags*: + +* Domain: Network +* Use Case: C2 Beaconing Detection +* Tactic: Command and Control + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +beacon_stats.beaconing_score: 3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Web Service +** ID: T1102 +** Reference URL: https://attack.mitre.org/techniques/T1102/ +* Sub-technique: +** Name: Bidirectional Communication +** ID: T1102.002 +** Reference URL: https://attack.mitre.org/techniques/T1102/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-statistical-model-detected-c2-beaconing-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-statistical-model-detected-c2-beaconing-activity.asciidoc new file mode 100644 index 0000000000..750baf87ad --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-statistical-model-detected-c2-beaconing-activity.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-8-11-7-statistical-model-detected-c2-beaconing-activity]] +=== Statistical Model Detected C2 Beaconing Activity + +A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. + +*Rule type*: query + +*Rule indices*: + +* ml_beaconing.all + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-1h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/beaconing +* https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic + +*Tags*: + +* Domain: Network +* Use Case: C2 Beaconing Detection +* Tactic: Command and Control + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +beacon_stats.is_beaconing: true + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Web Service +** ID: T1102 +** Reference URL: https://attack.mitre.org/techniques/T1102/ +* Sub-technique: +** Name: Bidirectional Communication +** ID: T1102.002 +** Reference URL: https://attack.mitre.org/techniques/T1102/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-sudo-heap-based-buffer-overflow-attempt.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-sudo-heap-based-buffer-overflow-attempt.asciidoc new file mode 100644 index 0000000000..1df67a7bbd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-sudo-heap-based-buffer-overflow-attempt.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-7-sudo-heap-based-buffer-overflow-attempt]] +=== Sudo Heap-Based Buffer Overflow Attempt + +Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user. + +*Rule type*: threshold + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156 +* https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit +* https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw +* https://www.sudo.ws/alerts/unescape_overflow.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:start and + process.name:(sudo or sudoedit) and + process.args:(*\\ and ("-i" or "-s")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-sudoers-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-sudoers-file-modification.asciidoc new file mode 100644 index 0000000000..0f4ea20a55 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-sudoers-file-modification.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-7-sudoers-file-modification]] +=== Sudoers File Modification + +A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 204 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and +not process.name:(dpkg or platform-python or puppet or yum or dnf) and +not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-certutil-commands.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-certutil-commands.asciidoc new file mode 100644 index 0000000000..22fd5c6cb3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-certutil-commands.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-8-11-7-suspicious-certutil-commands]] +=== Suspicious CertUtil Commands + +Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/Moriarty_Meng/status/984380793383370752 +* https://twitter.com/egre55/status/1087685529016193025 +* https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx +* https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious CertUtil Commands + +`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows. + +Attackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to determine the nature of the execution. + - If files were downloaded, retrieve them and check whether they were run, and under which security context. + - If files were obfuscated or deobfuscated, retrieve them. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the involved files using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "certutil.exe" or ?process.pe.original_file_name == "CertUtil.exe") and + process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex", "?exportPFX") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-cmd-execution-via-wmi.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-cmd-execution-via-wmi.asciidoc new file mode 100644 index 0000000000..bac4c74f24 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-cmd-execution-via-wmi.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-11-7-suspicious-cmd-execution-via-wmi]] +=== Suspicious Cmd Execution via WMI + +Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and + process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-execution-via-windows-subsystem-for-linux.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-execution-via-windows-subsystem-for-linux.asciidoc new file mode 100644 index 0000000000..5a13380aec --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-execution-via-windows-subsystem-for-linux.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-8-11-7-suspicious-execution-via-windows-subsystem-for-linux]] +=== Suspicious Execution via Windows Subsystem for Linux + +Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/ +* https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ +* https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type : "start" and + ( + ( + (process.executable : "?:\\Windows\\System32\\bash.exe" or ?process.pe.original_file_name == "Bash.exe") and + not process.command_line : ("bash", "bash.exe") + ) or + process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or + ( + process.parent.name : "wsl.exe" and ?process.parent.command_line : "bash*" and not process.name : "wslhost.exe" + ) or + ( + process.name : "wsl.exe" and process.args : ( + "curl", "/etc/shadow", "/etc/passwd", "cat", "--system", "root", "-e", "--exec", "bash", "/mnt/c/*" + ) and not process.args : ("wsl-bootstrap", "docker-desktop-data", "*.vscode-server*") + ) + ) and + not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indirect Command Execution +** ID: T1202 +** Reference URL: https://attack.mitre.org/techniques/T1202/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-file-creation-in-etc-for-persistence.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-file-creation-in-etc-for-persistence.asciidoc new file mode 100644 index 0000000000..cc4473b8ca --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-file-creation-in-etc-for-persistence.asciidoc @@ -0,0 +1,200 @@ +[[prebuilt-rule-8-11-7-suspicious-file-creation-in-etc-for-persistence]] +=== Suspicious File Creation in /etc for Persistence + +Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ +* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Orbit +* Threat: Lightning Framework +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious File Creation in /etc for Persistence + +The /etc/ directory in Linux is used to store system-wide configuration files and scripts. + +By creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. + +This rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the file that was created or modified. +- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (\n path LIKE '/etc/ld.so.conf.d/%' OR\n path LIKE '/etc/cron.d/%' OR\n path LIKE '/etc/sudoers.d/%' OR\n path LIKE '/etc/rc%.d/%' OR\n path LIKE '/etc/init.d/%' OR\n path LIKE '/etc/systemd/system/%' OR\n path LIKE '/usr/lib/systemd/system/%'\n)\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (\n path LIKE '/etc/ld.so.conf.d/%' OR\n path LIKE '/etc/cron.d/%' OR\n path LIKE '/etc/sudoers.d/%' OR\n path LIKE '/etc/rc%.d/%' OR\n path LIKE '/etc/init.d/%' OR\n path LIKE '/etc/systemd/system/%' OR\n path LIKE '/usr/lib/systemd/system/%'\n)\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Related Rules + +- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9 +- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f +- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b +- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c +- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.id == "0" and +file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", +"/usr/lib/systemd/system/*") and not ( + (process.executable : ( + "*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd", "*/snapd", + "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", + "*/bin/dockerd", "*/sbin/dockerd", "/kaniko/executor", "/usr/sbin/rhn_check" + ) + ) or + (file.extension in ("swp", "swpx", "tmp")) or + (process.name : ("chef-client", "ruby", "pacman", "packagekitd", "python*", "platform-python")) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-file-creation-via-kworker.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-file-creation-via-kworker.asciidoc new file mode 100644 index 0000000000..b216d7c96c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-file-creation-via-kworker.asciidoc @@ -0,0 +1,144 @@ +[[prebuilt-rule-8-11-7-suspicious-file-creation-via-kworker]] +=== Suspicious File Creation via Kworker + +This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious File Creation via Kworker + +Kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. + +Attackers may attempt to evade detection by masquerading as a kernel worker process. + +This rule monitors for suspicious file creation events through the kworker process. This is not common, and could indicate malicious behaviour. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the file that was created or modified through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE path = {{file.path}}\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE path = {{file.path}}\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Related Rules + +- Suspicious Kworker UID Elevation - 7dfaaa17-425c-4fe7-bd36-83705fde7c2b +- Network Activity Detected via Kworker - 25d917c4-aa3c-4111-974c-286c0312ff95 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where event.action == "creation" and process.name : "kworker*" and not ( + process.name : "kworker*kcryptd*" or file.path : ("/var/log/*", "/var/crash/*") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Rootkit +** ID: T1014 +** Reference URL: https://attack.mitre.org/techniques/T1014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-java-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-java-child-process.asciidoc new file mode 100644 index 0000000000..90bca0d865 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-java-child-process.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-11-7-suspicious-java-child-process]] +=== Suspicious JAVA Child Process + +Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.lunasec.io/docs/blog/log4j-zero-day/ +* https://github.com/christophetd/log4shell-vulnerable-app +* https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf +* https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security +* https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Java Child Process + +This rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. +- Examine the command line to determine if the command executed is potentially harmful or malicious. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:("start" or "process_started") and process.parent.name:"java" and process.name:( + "sh" or "bash" or "dash" or "ksh" or "tcsh" or "zsh" or "curl" or "wget" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-ms-office-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-ms-office-child-process.asciidoc new file mode 100644 index 0000000000..c533ce9958 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-ms-office-child-process.asciidoc @@ -0,0 +1,172 @@ +[[prebuilt-rule-8-11-7-suspicious-ms-office-child-process]] +=== Suspicious MS Office Child Process + +Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/blog/vulnerability-summary-follina + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious MS Office Child Process + +Microsoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of. + +This rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ( + "eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", + "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe" + ) and + process.name : ( + "Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", + "certutil.exe", "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", + "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe", + "installutil.exe", "ipconfig.exe", "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe", + "netstat.exe", "nltest.exe", "odbcconf.exe", "ping.exe", "powershell.exe", "pwsh.exe", "qprocess.exe", + "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe", + "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe", "wmic.exe", "wscript.exe", + "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe", "msdt.exe" + ) and + not ( + process.parent.name : "outlook.exe" and + process.name : "rundll32.exe" and + process.args : "shell32.dll,Control_RunDLL" and + process.args : "srchadmin.dll" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-ms-outlook-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-ms-outlook-child-process.asciidoc new file mode 100644 index 0000000000..f29a964e60 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-ms-outlook-child-process.asciidoc @@ -0,0 +1,159 @@ +[[prebuilt-rule-8-11-7-suspicious-ms-outlook-child-process]] +=== Suspicious MS Outlook Child Process + +Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious MS Outlook Child Process + +Microsoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite. + +This rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "outlook.exe" and + process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", + "cdb.exe", "certutil.exe", "cmd.exe", "cmstp.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", + "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", + "iexpress.exe", "installutil.exe", "ipconfig.exe", "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", + "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", "ping.exe", "powershell.exe", + "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", + "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", + "tracert.exe", "whoami.exe", "wmic.exe", "wscript.exe", "xwizard.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-net-reflection-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-net-reflection-via-powershell.asciidoc new file mode 100644 index 0000000000..08e40654ae --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-net-reflection-via-powershell.asciidoc @@ -0,0 +1,169 @@ +[[prebuilt-rule-8-11-7-suspicious-net-reflection-via-powershell]] +=== Suspicious .NET Reflection via PowerShell + +Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 111 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious .NET Reflection via PowerShell + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the script using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "[System.Reflection.Assembly]::Load" or + "[Reflection.Assembly]::Load" + ) and + not powershell.file.script_block_text : ( + ("CommonWorkflowParameters" or "RelatedLinksHelpInfo") and + "HelpDisplayStrings" + ) and + not (powershell.file.script_block_text : + ("Get-SolutionFiles" or "Get-VisualStudio" or "Select-MSBuildPath") and + file.name : "PathFunctions.ps1" + ) and + not file.path : C\:\\\\Program?Files\\\\Microsoft?Monitoring?Agent\\\\Agent\\\\Health?Service?State\\\\Monitoring?Host?Temporary?Files*\\\\AvailabilityGroupMonitoring.ps1 and + not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Reflective Code Loading +** ID: T1620 +** Reference URL: https://attack.mitre.org/techniques/T1620/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Dynamic-link Library Injection +** ID: T1055.001 +** Reference URL: https://attack.mitre.org/techniques/T1055/001/ +* Sub-technique: +** Name: Portable Executable Injection +** ID: T1055.002 +** Reference URL: https://attack.mitre.org/techniques/T1055/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc new file mode 100644 index 0000000000..a23040dbe7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-11-7-suspicious-network-activity-to-the-internet-by-previously-unknown-executable]] +=== Suspicious Network Activity to the Internet by Previously Unknown Executable + +This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-59m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Network Activity to the Internet by Previously Unknown Executable + +After being installed, malware will often call out to its command and control server to receive further instructions by its operators. + +This rule leverages the new terms rule type to detect previously unknown processes, initiating network connections to external IP-addresses. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Identify any signs of suspicious network activity or anomalies that may indicate malicious behavior. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential malicious processes, reverse shells or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} + - !{osquery{"label":"Osquery - Retrieve Process Info","query":"SELECT name, cmdline, parent, path, uid FROM processes"}} +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + +### Related rules + +- Network Activity Detected via cat - afd04601-12fc-4149-9b78-9c3f8fe45d39 + +### False positive analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and +process.executable:( + (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or + /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/* + ) and not (/tmp/newroot/* or /tmp/snap.rootfs*) + ) and +source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and +not process.name:( + apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or + saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform* +) and +not destination.ip:( + 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or + 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or + 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or + 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" or 0.0.0.0 +) and +not destination.port:(22 or 80 or 443) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-network-connection-via-sudo-binary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-network-connection-via-sudo-binary.asciidoc new file mode 100644 index 0000000000..2b019fbc80 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-network-connection-via-sudo-binary.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-11-7-suspicious-network-connection-via-sudo-binary]] +=== Suspicious Network Connection via Sudo Binary + +Detects network connections initiated by the "sudo" binary. This behavior is uncommon and may occur in instances where reverse shell shellcode is injected into a process run with elevated permissions via "sudo". Attackers may attempt to inject shellcode into processes running as root, to escalate privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and +process.name == "sudo" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Ptrace System Calls +** ID: T1055.008 +** Reference URL: https://attack.mitre.org/techniques/T1055/008/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-powershell-engine-imageload.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-powershell-engine-imageload.asciidoc new file mode 100644 index 0000000000..09cd1df31c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-powershell-engine-imageload.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-8-11-7-suspicious-powershell-engine-imageload]] +=== Suspicious PowerShell Engine ImageLoad + +Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 209 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious PowerShell Engine ImageLoad + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called "PowerShell without PowerShell," works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:windows and event.category:library and + dll.name:("System.Management.Automation.dll" or "System.Management.Automation.ni.dll") and + not ( + process.code_signature.subject_name:("Microsoft Corporation" or "Microsoft Dynamic Code Publisher" or "Microsoft Windows") and process.code_signature.trusted:true and not process.name.caseless:("regsvr32.exe" or "rundll32.exe") + ) and + not ( + process.executable.caseless:(?\:\\\\Program?Files?\(x86\)\\\\*.exe or ?\:\\\\Program?Files\\\\*.exe) and + process.code_signature.trusted:true + ) and + not ( + process.executable.caseless:?\:\\\\Windows\\\\Lenovo\\\\*.exe and process.code_signature.subject_name:"Lenovo" and + process.code_signature.trusted:true + ) and + not ( + process.executable.caseless:?\:\\\\ProgramData\\\\chocolatey\\\\choco.exe* and + process.code_signature.subject_name:"Chocolatey Software, Inc." and process.code_signature.trusted:true + ) and not process.executable.caseless : "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-print-spooler-spl-file-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-print-spooler-spl-file-created.asciidoc new file mode 100644 index 0000000000..1c4e5ca635 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-print-spooler-spl-file-created.asciidoc @@ -0,0 +1,151 @@ +[[prebuilt-rule-8-11-7-suspicious-print-spooler-spl-file-created]] +=== Suspicious Print Spooler SPL File Created + +Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Print Spooler SPL File Created + +Print Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc. + +The Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\Windows\System32\spool\PRINTERS\`, which is an essential step in exploiting these vulnerabilities. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Ensure that the machine has the latest security updates and is not running legacy Windows versions. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + file.extension : "spl" and + file.path : "?:\\Windows\\System32\\spool\\PRINTERS\\*" and + not process.name : ("spoolsv.exe", + "printfilterpipelinesvc.exe", + "PrintIsolationHost.exe", + "splwow64.exe", + "msiexec.exe", + "poqexec.exe", + "System") and + not user.id : "S-1-5-18" and + not process.executable : + ("?:\\Windows\\System32\\mmc.exe", + "\\Device\\Mup\\*.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\mmc.exe", + "?:\\Windows\\System32\\printui.exe", + "?:\\Windows\\System32\\mstsc.exe", + "?:\\Windows\\System32\\spool\\*.exe", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\PROGRA~1\\*.exe", + "?:\\PROGRA~2\\*.exe", + "?:\\Windows\\System32\\rundll32.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-printspooler-service-executable-file-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-printspooler-service-executable-file-creation.asciidoc new file mode 100644 index 0000000000..a38b12a60f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-printspooler-service-executable-file-creation.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-8-11-7-suspicious-printspooler-service-executable-file-creation]] +=== Suspicious PrintSpooler Service Executable File Creation + +Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/ +* https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + process.name : "spoolsv.exe" and file.extension : "dll" and + file.path : ("?:\\Windows\\System32\\*", "?:\\Windows\\SysWOW64\\*") and + not file.path : ( + "?:\\WINDOWS\\SysWOW64\\PrintConfig.dll", + "?:\\WINDOWS\\system32\\x5lrs.dll", + "?:\\WINDOWS\\sysWOW64\\x5lrs.dll", + "?:\\WINDOWS\\system32\\PrintConfig.dll", + "?:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\*.dll", + "?:\\WINDOWS\\system32\\spool\\DRIVERS\\W32X86\\*.dll", + "?:\\WINDOWS\\system32\\spool\\PRTPROCS\\x64\\*.dll", + "?:\\WINDOWS\\system32\\spool\\{????????-????-????-????-????????????}\\*.dll" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-rdp-activex-client-loaded.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-rdp-activex-client-loaded.asciidoc new file mode 100644 index 0000000000..2e0426a20f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-rdp-activex-client-loaded.asciidoc @@ -0,0 +1,90 @@ +[[prebuilt-rule-8-11-7-suspicious-rdp-activex-client-loaded]] +=== Suspicious RDP ActiveX Client Loaded + +Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "windows" and + (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "mstscax.dll" or file.name : "mstscax.dll") and + /* depending on noise in your env add here extra paths */ + process.executable : ( + "C:\\Windows\\*", + "C:\\Users\\Public\\*", + "C:\\Users\\Default\\*", + "C:\\Intel\\*", + "C:\\PerfLogs\\*", + "C:\\ProgramData\\*", + "\\Device\\Mup\\*", + "\\\\*" + ) and + /* add here FPs */ + not process.executable : ( + "?:\\Windows\\System32\\mstsc.exe", + "?:\\Windows\\SysWOW64\\mstsc.exe", + "?:\\Windows\\System32\\vmconnect.exe", + "?:\\Windows\\System32\\WindowsSandboxClient.exe", + "?:\\Windows\\System32\\hvsirdpclient.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-solarwinds-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-solarwinds-child-process.asciidoc new file mode 100644 index 0000000000..2bbdea7799 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-solarwinds-child-process.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-8-11-7-suspicious-solarwinds-child-process]] +=== Suspicious SolarWinds Child Process + +A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html +* https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name: ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and + not ( + process.name : ( + "APMServiceControl*.exe", + "ExportToPDFCmd*.Exe", + "SolarWinds.Credentials.Orion.WebApi*.exe", + "SolarWinds.Orion.Topology.Calculator*.exe", + "Database-Maint.exe", + "SolarWinds.Orion.ApiPoller.Service.exe", + "WerFault.exe", + "WerMgr.exe", + "SolarWinds.BusinessLayerHost.exe", + "SolarWinds.BusinessLayerHostx64.exe", + "SolarWinds.Topology.Calculator.exe", + "SolarWinds.Topology.Calculatorx64.exe", + "SolarWinds.APM.RealTimeProcessPoller.exe") and + process.code_signature.trusted == true + ) and + not process.executable : ("?:\\Windows\\SysWOW64\\ARP.EXE", "?:\\Windows\\SysWOW64\\lodctr.exe", "?:\\Windows\\SysWOW64\\unlodctr.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Supply Chain Compromise +** ID: T1195 +** Reference URL: https://attack.mitre.org/techniques/T1195/ +* Sub-technique: +** Name: Compromise Software Supply Chain +** ID: T1195.002 +** Reference URL: https://attack.mitre.org/techniques/T1195/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-wmic-xsl-script-execution.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-wmic-xsl-script-execution.asciidoc new file mode 100644 index 0000000000..e6f266354d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-suspicious-wmic-xsl-script-execution.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-11-7-suspicious-wmic-xsl-script-execution]] +=== Suspicious WMIC XSL Script Execution + +Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan = 2m +[process where host.os.type == "windows" and event.type == "start" and + (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and + process.args : ("format*:*", "/format*:*", "*-format*:*") and + not process.command_line : ("* /format:table *", "* /format:table")] +[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: XSL Script Processing +** ID: T1220 +** Reference URL: https://attack.mitre.org/techniques/T1220/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-svchost-spawning-cmd.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-svchost-spawning-cmd.asciidoc new file mode 100644 index 0000000000..136360ada5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-svchost-spawning-cmd.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-11-7-svchost-spawning-cmd]] +=== Svchost spawning Cmd + +Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 209 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Svchost spawning Cmd + +The Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services. + +This rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc new file mode 100644 index 0000000000..dacef84275 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc @@ -0,0 +1,93 @@ +[[prebuilt-rule-8-11-7-system-binary-copied-and-or-moved-to-suspicious-directory]] +=== System Binary Copied and/or Moved to Suspicious Directory + +This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name in ("cp", "mv") and process.args : ( + // Shells + "/bin/*sh", "/usr/bin/*sh", + + // Interpreters + "/bin/python*", "/usr/bin/python*", "/bin/php*", "/usr/bin/php*", "/bin/ruby*", "/usr/bin/ruby*", "/bin/perl*", + "/usr/bin/perl*", "/bin/lua*", "/usr/bin/lua*", "/bin/java*", "/usr/bin/java*", + + // Compilers + "/bin/gcc*", "/usr/bin/gcc*", "/bin/g++*", "/usr/bin/g++*", "/bin/cc", "/usr/bin/cc", + + // Suspicious utilities + "/bin/nc", "/usr/bin/nc", "/bin/ncat", "/usr/bin/ncat", "/bin/netcat", "/usr/bin/netcat", "/bin/nc.openbsd", + "/usr/bin/nc.openbsd", "/bin/*awk", "/usr/bin/*awk", "/bin/socat", "/usr/bin/socat", "/bin/openssl", + "/usr/bin/openssl", "/bin/telnet", "/usr/bin/telnet", "/bin/mkfifo", "/usr/bin/mkfifo", "/bin/mknod", + "/usr/bin/mknod", "/bin/ping*", "/usr/bin/ping*", "/bin/nmap", "/usr/bin/nmap", + + // System utilities + "/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl", + "/bin/wget", "/usr/bin/wget", "/bin/tmux", "/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh", + "/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp" + ) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")] + [file where host.os.type == "linux" and event.action == "creation" and file.path : ( + "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*" + ) and not file.path : ("/tmp/rear*", "/var/tmp/dracut*")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-system-shells-via-services.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-system-shells-via-services.asciidoc new file mode 100644 index 0000000000..2257d41607 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-system-shells-via-services.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-8-11-7-system-shells-via-services]] +=== System Shells via Services + +Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating System Shells via Services + +Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads. + +This rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045). + - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check for commands executed under the spawned shell. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service or restore it to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "services.exe" and + process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") and + + /* Third party FP's */ + not process.args : "NVDisplay.ContainerLocalSystem" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-third-party-backup-files-deleted-via-unexpected-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-third-party-backup-files-deleted-via-unexpected-process.asciidoc new file mode 100644 index 0000000000..2214834dba --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-third-party-backup-files-deleted-via-unexpected-process.asciidoc @@ -0,0 +1,144 @@ +[[prebuilt-rule-8-11-7-third-party-backup-files-deleted-via-unexpected-process]] +=== Third-party Backup Files Deleted via Unexpected Process + +Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Third-party Backup Files Deleted via Unexpected Process + +Backups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target. + +Attackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom. + +This rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if any files on the host machine have been encrypted. + +### False positive analysis + +- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together. + +### Related rules + +- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "deletion" and + ( + /* Veeam Related Backup Files */ + ( + file.extension : ("VBK", "VIB", "VBM") and + not ( + process.executable : ("?:\\Windows\\*", "?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and + (process.code_signature.trusted == true and process.code_signature.subject_name : ("Veeam Software Group GmbH", "Veeam Software AG")) + ) + ) or + /* Veritas Backup Exec Related Backup File */ + ( + file.extension : "BKF" and + not process.executable : ( + "?:\\Program Files\\Veritas\\Backup Exec\\*", + "?:\\Program Files (x86)\\Veritas\\Backup Exec\\*" + ) + ) + ) and + not ( + process.name : ("MSExchangeMailboxAssistants.exe", "Microsoft.PowerBI.EnterpriseGateway.exe") and + (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + ) and + not file.path : ( + "?:\\ProgramData\\Trend Micro\\*", + "?:\\Program Files (x86)\\Trend Micro\\*", + "?:\\$RECYCLE.BIN\\*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-threat-intel-hash-indicator-match.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-threat-intel-hash-indicator-match.asciidoc new file mode 100644 index 0000000000..e7bb406c8a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-threat-intel-hash-indicator-match.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-11-7-threat-intel-hash-indicator-match]] +=== Threat Intel Hash Indicator Match + +This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. + +*Rule type*: threat_match + +*Rule indices*: + +* auditbeat-* +* endgame-* +* filebeat-* +* logs-* +* winlogbeat-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 1h + +*Searches indices from*: now-65m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html +* https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html +* https://www.elastic.co/security/tip + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Rule Type: Indicator Match + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and Analysis + +### Investigating Threat Intel Hash Indicator Match + +Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. + +Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation. + +This rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field. +- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field: + - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash. +- Identify the process that created the file. + - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization. +- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} +- Using the data collected through the analysis, scope users targeted and other machines infected in the environment. + +### False Positive Analysis + +- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives. + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file.hash.*:* or process.hash.*:* or dll.hash.*:* + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-threat-intel-ip-address-indicator-match.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-threat-intel-ip-address-indicator-match.asciidoc new file mode 100644 index 0000000000..a3541db11c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-threat-intel-ip-address-indicator-match.asciidoc @@ -0,0 +1,118 @@ +[[prebuilt-rule-8-11-7-threat-intel-ip-address-indicator-match]] +=== Threat Intel IP Address Indicator Match + +This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event. + +*Rule type*: threat_match + +*Rule indices*: + +* auditbeat-* +* endgame-* +* filebeat-* +* logs-* +* packetbeat-* +* winlogbeat-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 1h + +*Searches indices from*: now-65m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html +* https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html +* https://www.elastic.co/security/tip + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Rule Type: Indicator Match + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and Analysis + +### Investigating Threat Intel IP Address Indicator Match + +Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. + +Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation. + +This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field. +- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field: + - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} +- Using the data collected through the analysis, scope users targeted and other machines infected in the environment. + +### False Positive Analysis + +- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat. +- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure. +- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning. + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +source.ip:* or destination.ip:* + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-threat-intel-url-indicator-match.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-threat-intel-url-indicator-match.asciidoc new file mode 100644 index 0000000000..7d40913d95 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-threat-intel-url-indicator-match.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-8-11-7-threat-intel-url-indicator-match]] +=== Threat Intel URL Indicator Match + +This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc. + +*Rule type*: threat_match + +*Rule indices*: + +* auditbeat-* +* endgame-* +* filebeat-* +* logs-* +* packetbeat-* +* winlogbeat-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 1h + +*Searches indices from*: now-65m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html +* https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html +* https://www.elastic.co/security/tip + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Rule Type: Indicator Match + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and Analysis + +### Investigating Threat Intel URL Indicator Match + +Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. + +Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation. + +This rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field: + - Identify the type of malicious activity related to the URL (phishing, malware, etc.). + - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse. + - If dealing with a phishing incident: + - Contact the user to gain more information around the delivery method, information sent, etc. + - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user. + - Investigate the phishing page to identify which information may have been sent to the attacker by the user. +- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} +- Using the data collected through the analysis, scope users targeted and other machines infected in the environment. + +### False Positive Analysis + +- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure. +- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning. + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Consider reporting the address for abuse using the provided contact information. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +url.full:* + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-threat-intel-windows-registry-indicator-match.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-threat-intel-windows-registry-indicator-match.asciidoc new file mode 100644 index 0000000000..a222213ea9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-threat-intel-windows-registry-indicator-match.asciidoc @@ -0,0 +1,111 @@ +[[prebuilt-rule-8-11-7-threat-intel-windows-registry-indicator-match]] +=== Threat Intel Windows Registry Indicator Match + +This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data. + +*Rule type*: threat_match + +*Rule indices*: + +* auditbeat-* +* endgame-* +* filebeat-* +* logs-* +* winlogbeat-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 1h + +*Searches indices from*: now-65m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html +* https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html +* https://www.elastic.co/security/tip + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Rule Type: Indicator Match + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and Analysis + +### Investigating Threat Intel Windows Registry Indicator Match + +Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. + +Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation. + +This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps. +- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} +- Using the data collected through the analysis, scope users targeted and other machines infected in the environment. + +### False Positive Analysis + +- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives. + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry.path:* + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-timestomping-using-touch-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-timestomping-using-touch-command.asciidoc new file mode 100644 index 0000000000..2914a3092d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-timestomping-using-touch-command.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-11-7-timestomping-using-touch-command]] +=== Timestomping using Touch Command + +Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.name : "touch" and user.id != "0" and + process.args : ("-r", "-t", "-a*","-m*") and + not process.args : ( + "/usr/lib/go-*/bin/go", "/usr/lib/dracut/dracut-functions.sh", "/tmp/KSInstallAction.*/m/.patch/*" +) and not process.parent.name in ("pmlogger_daily", "pmlogger_janitor", "systemd") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Timestomp +** ID: T1070.006 +** Reference URL: https://attack.mitre.org/techniques/T1070/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc new file mode 100644 index 0000000000..4387c5d671 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc @@ -0,0 +1,154 @@ +[[prebuilt-rule-8-11-7-uac-bypass-attempt-via-windows-directory-masquerading]] +=== UAC Bypass Attempt via Windows Directory Masquerading + +Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating UAC Bypass Attempt via Windows Directory Masquerading + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). + +This rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze any suspicious spawned processes using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.args : ("C:\\Windows \\system32\\*.exe", "C:\\Windows \\SysWOW64\\*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc new file mode 100644 index 0000000000..3ba94ed9de --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-8-11-7-uac-bypass-via-diskcleanup-scheduled-task-hijack]] +=== UAC Bypass via DiskCleanup Scheduled Task Hijack + +Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.args : "/autoclean" and process.args : "/d" and process.executable != null and + not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe", + "C:\\Windows\\SysWOW64\\cleanmgr.exe", + "C:\\Windows\\System32\\taskhostw.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-child-process-from-a-system-virtual-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-child-process-from-a-system-virtual-process.asciidoc new file mode 100644 index 0000000000..062fd65816 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-child-process-from-a-system-virtual-process.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-8-11-7-unusual-child-process-from-a-system-virtual-process]] +=== Unusual Child Process from a System Virtual Process + +Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.pid == 4 and process.executable : "?*" and + not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-parent-child-relationship.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-parent-child-relationship.asciidoc new file mode 100644 index 0000000000..0e722b9ee6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-parent-child-relationship.asciidoc @@ -0,0 +1,159 @@ +[[prebuilt-rule-8-11-7-unusual-parent-child-relationship]] +=== Unusual Parent-Child Relationship + +Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png +* https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Parent-Child Relationship + +Windows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline. + +This rule uses this information to spot suspicious parent and child processes. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +process.parent.name != null and + ( + /* suspicious parent processes */ + (process.name:"autochk.exe" and not process.parent.name:"smss.exe") or + (process.name:("fontdrvhost.exe", "dwm.exe") and not process.parent.name:("wininit.exe", "winlogon.exe")) or + (process.name:("consent.exe", "RuntimeBroker.exe", "TiWorker.exe") and not process.parent.name:"svchost.exe") or + (process.name:"SearchIndexer.exe" and not process.parent.name:"services.exe") or + (process.name:"SearchProtocolHost.exe" and not process.parent.name:("SearchIndexer.exe", "dllhost.exe")) or + (process.name:"dllhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"smss.exe" and not process.parent.name:("System", "smss.exe")) or + (process.name:"csrss.exe" and not process.parent.name:("smss.exe", "svchost.exe")) or + (process.name:"wininit.exe" and not process.parent.name:"smss.exe") or + (process.name:"winlogon.exe" and not process.parent.name:"smss.exe") or + (process.name:("lsass.exe", "LsaIso.exe") and not process.parent.name:"wininit.exe") or + (process.name:"LogonUI.exe" and not process.parent.name:("wininit.exe", "winlogon.exe")) or + (process.name:"services.exe" and not process.parent.name:"wininit.exe") or + (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe", "svchost.exe")) or + (process.name:"spoolsv.exe" and not process.parent.name:"services.exe") or + (process.name:"taskhost.exe" and not process.parent.name:("services.exe", "svchost.exe", "ngentask.exe")) or + (process.name:"taskhostw.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe")) or + (process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:"svchost.exe") or + /* suspicious child processes */ + (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe", "conhost.exe")) or + (process.parent.name:"autochk.exe" and not process.name:("chkdsk.exe", "doskey.exe", "WerFault.exe")) or + (process.parent.name:"smss.exe" and not process.name:("autochk.exe", "smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe", "WerFault.exe")) or + (process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) or + (process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Process Hollowing +** ID: T1055.012 +** Reference URL: https://attack.mitre.org/techniques/T1055/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-persistence-via-services-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-persistence-via-services-registry.asciidoc new file mode 100644 index 0000000000..c3e54799de --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-persistence-via-services-registry.asciidoc @@ -0,0 +1,94 @@ +[[prebuilt-rule-8-11-7-unusual-persistence-via-services-registry]] +=== Unusual Persistence via Services Registry + +Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL", + "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath", + "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL", + "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath" + ) and not registry.data.strings : ( + "?:\\windows\\system32\\Drivers\\*.sys", + "\\SystemRoot\\System32\\drivers\\*.sys", + "\\??\\?:\\Windows\\system32\\Drivers\\*.SYS", + "system32\\DRIVERS\\USBSTOR") and + not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and + not process.executable : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\winsxs\\*\\TiWorker.exe", + "?:\\Windows\\System32\\drvinst.exe", + "?:\\Windows\\System32\\services.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\regsvr32.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-print-spooler-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-print-spooler-child-process.asciidoc new file mode 100644 index 0000000000..7d12eb291a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-print-spooler-child-process.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-8-11-7-unusual-print-spooler-child-process]] +=== Unusual Print Spooler Child Process + +Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "spoolsv.exe" and process.command_line != null and + (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and + + /* exclusions for FP control below */ + not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and + not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and + not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and + not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and + not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and + not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and + not process.executable : ( + "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe", + "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-process-execution-path-alternate-data-stream.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-process-execution-path-alternate-data-stream.asciidoc new file mode 100644 index 0000000000..df21e0f3c8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-process-execution-path-alternate-data-stream.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-7-unusual-process-execution-path-alternate-data-stream]] +=== Unusual Process Execution Path - Alternate Data Stream + +Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.args : "?:\\*:*" and process.args_count == 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: NTFS File Attributes +** ID: T1564.004 +** Reference URL: https://attack.mitre.org/techniques/T1564/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-service-host-child-process-childless-service.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-service-host-child-process-childless-service.asciidoc new file mode 100644 index 0000000000..dd2e5cd28f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-unusual-service-host-child-process-childless-service.asciidoc @@ -0,0 +1,105 @@ +[[prebuilt-rule-8-11-7-unusual-service-host-child-process-childless-service]] +=== Unusual Service Host Child Process - Childless Service + +Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "svchost.exe" and + + /* based on svchost service arguments -s svcname where the service is known to be childless */ + process.parent.args : ( + "WdiSystemHost", "LicenseManager", "StorSvc", "CDPSvc", "cdbhsvc", "BthAvctpSvc", "SstpSvc", "WdiServiceHost", + "imgsvc", "TrkWks", "WpnService", "IKEEXT", "PolicyAgent", "CryptSvc", "netprofm", "ProfSvc", "StateRepository", + "camsvc", "LanmanWorkstation", "NlaSvc", "EventLog", "hidserv", "DisplayEnhancementService", "ShellHWDetection", + "AppHostSvc", "fhsvc", "CscService", "PushToInstall" + ) and + + /* unknown FPs can be added here */ + not process.name : ("WerFault.exe", "WerFaultSecure.exe", "wermgr.exe") and + not (process.executable : "?:\\Windows\\System32\\RelPost.exe" and process.parent.args : "WdiSystemHost") and + not ( + process.name : "rundll32.exe" and + process.args : "?:\\WINDOWS\\System32\\winethc.dll,ForceProxyDetectionOnNextRun" and + process.parent.args : "WdiServiceHost" + ) and + not ( + process.executable : ( + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\System32\\Kodak\\kds_?????\\lib\\lexexe.exe" + ) and process.parent.args : "imgsvc" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Process Hollowing +** ID: T1055.012 +** Reference URL: https://attack.mitre.org/techniques/T1055/012/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Process Hollowing +** ID: T1055.012 +** Reference URL: https://attack.mitre.org/techniques/T1055/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc new file mode 100644 index 0000000000..2ee08d3be5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-11-7-volume-shadow-copy-deleted-or-resized-via-vssadmin]] +=== Volume Shadow Copy Deleted or Resized via VssAdmin + +Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin + +The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders. + +A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring. + +This rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences in other hosts. +- Check if any files on the host machine have been encrypted. + + +### False positive analysis + +- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Related rules + +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Priority should be given due to the advanced stage of this activity on the attack. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If data was encrypted, deleted, or modified, activate your data recovery plan. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" + and (process.name : "vssadmin.exe" or ?process.pe.original_file_name == "VSSADMIN.EXE") and + process.args in ("delete", "resize") and process.args : "shadows*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-volume-shadow-copy-deletion-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-volume-shadow-copy-deletion-via-powershell.asciidoc new file mode 100644 index 0000000000..9bb8a7bab7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-volume-shadow-copy-deletion-via-powershell.asciidoc @@ -0,0 +1,152 @@ +[[prebuilt-rule-8-11-7-volume-shadow-copy-deletion-via-powershell]] +=== Volume Shadow Copy Deletion via PowerShell + +Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy +* https://powershell.one/wmi/root/cimv2/win32_shadowcopy +* https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Volume Shadow Copy Deletion via PowerShell + +The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders. + +A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring. + +This rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them. + +#### Possible investigation steps + +- Investigate the program execution chain (parent process tree). +- Check whether the account is authorized to perform this operation. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences in other hosts. +- Check if any files on the host machine have been encrypted. + + +### False positive analysis + +- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Related rules + +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Priority should be given due to the advanced stage of this activity on the attack. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If data was encrypted, deleted, or modified, activate your data recovery plan. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + process.args : ("*Get-WmiObject*", "*gwmi*", "*Get-CimInstance*", "*gcim*") and + process.args : ("*Win32_ShadowCopy*") and + process.args : ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*", "*Remove-CimInstance*", "*rcim*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-web-shell-detection-script-process-child-of-common-web-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-web-shell-detection-script-process-child-of-common-web-processes.asciidoc new file mode 100644 index 0000000000..e982198856 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-web-shell-detection-script-process-child-of-common-web-processes.asciidoc @@ -0,0 +1,170 @@ +[[prebuilt-rule-8-11-7-web-shell-detection-script-process-child-of-common-web-processes]] +=== Web Shell Detection: Script Process Child of Common Web Processes + +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/ +* https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965 +* https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Initial Access +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Web Shell Detection: Script Process Child of Common Web Processes + +Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server. + +This rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell. + +#### Possible investigation steps + +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes. +- Examine the command line to determine which commands or scripts were executed. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and + process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") and + not + ( + process.parent.name : ("php.exe", "httpd.exe") and process.name : "cmd.exe" and + process.command_line : ( + "cmd.exe /c mode CON", + "cmd.exe /s /c \"mode CON\"", + "cmd.exe /c \"mode\"", + "cmd.exe /s /c \"tput colors 2>&1\"" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: Web Shell +** ID: T1505.003 +** Reference URL: https://attack.mitre.org/techniques/T1505/003/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-whoami-process-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-whoami-process-activity.asciidoc new file mode 100644 index 0000000000..825b489058 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-whoami-process-activity.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-8-11-7-whoami-process-activity]] +=== Whoami Process Activity + +Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* logs-system.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Whoami Process Activity + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. + +This rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Related rules + +- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.name : "whoami.exe" and +( + ( + /* scoped for whoami execution under system privileges */ + ( + user.domain : ("NT *", "* NT", "IIS APPPOOL") and + user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20", "S-1-5-82-*") and + not ?winlog.event_data.SubjectUserName : "*$" + ) and + not ( + process.parent.name : "cmd.exe" and + process.parent.args : ( + "chcp 437>nul 2>&1 & C:\\WINDOWS\\System32\\whoami.exe /groups", + "chcp 437>nul 2>&1 & %systemroot%\\system32\\whoami /user", + "C:\\WINDOWS\\System32\\whoami.exe /groups", + "*WINDOWS\\system32\\config\\systemprofile*" + ) + ) and + not (process.parent.executable : "C:\\Windows\\system32\\inetsrv\\appcmd.exe" and process.parent.args : "LIST") and + not process.parent.executable : ( + "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe", + "C:\\Program Files\\Cohesity\\cohesity_windows_agent_service.exe" + ) + ) or + process.parent.name : ("wsmprovhost.exe", "w3wp.exe", "wmiprvse.exe", "rundll32.exe", "regsvr32.exe") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Owner/User Discovery +** ID: T1033 +** Reference URL: https://attack.mitre.org/techniques/T1033/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-windows-defender-exclusions-added-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-windows-defender-exclusions-added-via-powershell.asciidoc new file mode 100644 index 0000000000..da47c96fcc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-windows-defender-exclusions-added-via-powershell.asciidoc @@ -0,0 +1,145 @@ +[[prebuilt-rule-8-11-7-windows-defender-exclusions-added-via-powershell]] +=== Windows Defender Exclusions Added via PowerShell + +Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Defender Exclusions Added via PowerShell + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Examine the exclusion in order to determine the intent behind it. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context. + +### Related rules + +- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb +- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Exclusion lists for antimalware capabilities should always be routinely monitored for review. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and + process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and + process.args : ("*-Exclusion*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-windows-script-executing-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-windows-script-executing-powershell.asciidoc new file mode 100644 index 0000000000..fbc0f2242e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-windows-script-executing-powershell.asciidoc @@ -0,0 +1,149 @@ +[[prebuilt-rule-8-11-7-windows-script-executing-powershell]] +=== Windows Script Executing PowerShell + +Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Script Executing PowerShell + +The Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation. + +Attackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals. + +This rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate commands executed by the spawned PowerShell process. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Determine how the script file was delivered (email attachment, dropped by other processes, etc.). +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Reimage the host operating system and restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("cscript.exe", "wscript.exe") and process.name : "powershell.exe" and + not ( + process.parent.name : "wscript.exe" and + process.parent.args : "?:\\ProgramData\\intune-drive-mapping-generator\\IntuneDriveMapping-VBSHelper.vbs" and + process.parent.args : "?:\\ProgramData\\intune-drive-mapping-generator\\DriveMapping.ps1" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-windows-service-installed-via-an-unusual-client.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-windows-service-installed-via-an-unusual-client.asciidoc new file mode 100644 index 0000000000..04e406ce81 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-windows-service-installed-via-an-unusual-client.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-11-7-windows-service-installed-via-an-unusual-client]] +=== Windows Service Installed via an Unusual Client + +Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.x86matthew.com/view_post?id=create_svc_rpc +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"service-installed" and + (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0") and + not winlog.event_data.ServiceFileName : ( + "C:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe" or + "%SystemRoot%\\system32\\Drivers\\Crowdstrike\\17706-CsInstallerService.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-windows-subsystem-for-linux-enabled-via-dism-utility.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-windows-subsystem-for-linux-enabled-via-dism-utility.asciidoc new file mode 100644 index 0000000000..d07b60096e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-windows-subsystem-for-linux-enabled-via-dism-utility.asciidoc @@ -0,0 +1,111 @@ +[[prebuilt-rule-8-11-7-windows-subsystem-for-linux-enabled-via-dism-utility]] +=== Windows Subsystem for Linux Enabled via Dism Utility + +Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Subsystem for Linux Enabled via Dism Utility + +The Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks. + +This rule identifies attempts to enable WSL using the Dism utility. It monitors for the execution of Dism and checks if the command line contains the string "Microsoft-Windows-Subsystem-Linux". + +### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + +### False positive analysis + +- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and WSL is homologated and approved in the environment. + +### Related Rules + +- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd +- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7 +- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b +- Windows Subsystem for Linux Distribution Installed - a1699af0-8e1e-4ed0-8ec1-89783538a061 + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type : "start" and + (process.name : "Dism.exe" or ?process.pe.original_file_name == "DISM.EXE") and + process.command_line : "*Microsoft-Windows-Subsystem-Linux*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indirect Command Execution +** ID: T1202 +** Reference URL: https://attack.mitre.org/techniques/T1202/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-wireless-credential-dumping-using-netsh-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-wireless-credential-dumping-using-netsh-command.asciidoc new file mode 100644 index 0000000000..1cd7556c9d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rule-8-11-7-wireless-credential-dumping-using-netsh-command.asciidoc @@ -0,0 +1,131 @@ +[[prebuilt-rule-8-11-7-wireless-credential-dumping-using-netsh-command]] +=== Wireless Credential Dumping using Netsh Command + +Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts +* https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Discovery +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Wireless Credential Dumping using Netsh Command + +Netsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks. + +This rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe: + - Observe and collect information about the following activities in the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "netsh.exe" or ?process.pe.original_file_name == "netsh.exe") and + process.args : "wlan" and process.args : "key*clear" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rules-8-11-7-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rules-8-11-7-appendix.asciidoc new file mode 100644 index 0000000000..e798886b38 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rules-8-11-7-appendix.asciidoc @@ -0,0 +1,190 @@ +["appendix",role="exclude",id="prebuilt-rule-8-11-7-prebuilt-rules-8-11-7-appendix"] += Downloadable rule update v8.11.7 + +This section lists all updates associated with version 8.11.7 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-11-7-file-system-debugger-launched-inside-a-privileged-container.asciidoc[] +include::prebuilt-rule-8-11-7-mount-launched-inside-a-privileged-container.asciidoc[] +include::prebuilt-rule-8-11-7-potential-container-escape-via-modified-notify-on-release-file.asciidoc[] +include::prebuilt-rule-8-11-7-potential-container-escape-via-modified-release-agent-file.asciidoc[] +include::prebuilt-rule-8-11-7-github-app-deleted.asciidoc[] +include::prebuilt-rule-8-11-7-high-number-of-cloned-github-repos-from-pat.asciidoc[] +include::prebuilt-rule-8-11-7-github-ueba-multiple-alerts-from-a-github-account.asciidoc[] +include::prebuilt-rule-8-11-7-process-capability-enumeration.asciidoc[] +include::prebuilt-rule-8-11-7-kernel-driver-load-by-non-root-user.asciidoc[] +include::prebuilt-rule-8-11-7-potential-privilege-escalation-via-linux-dac-permissions.asciidoc[] +include::prebuilt-rule-8-11-7-potential-chroot-container-escape-via-mount.asciidoc[] +include::prebuilt-rule-8-11-7-potential-privilege-escalation-via-enlightenment.asciidoc[] +include::prebuilt-rule-8-11-7-privilege-escalation-via-gdb-cap-sys-ptrace.asciidoc[] +include::prebuilt-rule-8-11-7-root-network-connection-via-gdb-cap-sys-ptrace.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-network-connection-via-sudo-binary.asciidoc[] +include::prebuilt-rule-8-11-7-potential-buffer-overflow-attack-detected.asciidoc[] +include::prebuilt-rule-8-11-7-privilege-escalation-via-cap-chown-cap-fowner-capabilities.asciidoc[] +include::prebuilt-rule-8-11-7-privilege-escalation-via-cap-setuid-setgid-capabilities.asciidoc[] +include::prebuilt-rule-8-11-7-potential-evasion-via-windows-filtering-platform.asciidoc[] +include::prebuilt-rule-8-11-7-timestomping-using-touch-command.asciidoc[] +include::prebuilt-rule-8-11-7-security-software-discovery-via-grep.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-java-child-process.asciidoc[] +include::prebuilt-rule-8-11-7-sudo-heap-based-buffer-overflow-attempt.asciidoc[] +include::prebuilt-rule-8-11-7-sudoers-file-modification.asciidoc[] +include::prebuilt-rule-8-11-7-threat-intel-ip-address-indicator-match.asciidoc[] +include::prebuilt-rule-8-11-7-threat-intel-hash-indicator-match.asciidoc[] +include::prebuilt-rule-8-11-7-threat-intel-windows-registry-indicator-match.asciidoc[] +include::prebuilt-rule-8-11-7-threat-intel-url-indicator-match.asciidoc[] +include::prebuilt-rule-8-11-7-aws-iam-brute-force-of-assume-role-policy.asciidoc[] +include::prebuilt-rule-8-11-7-aws-management-console-brute-force-of-root-user-identity.asciidoc[] +include::prebuilt-rule-8-11-7-statistical-model-detected-c2-beaconing-activity.asciidoc[] +include::prebuilt-rule-8-11-7-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc[] +include::prebuilt-rule-8-11-7-github-repository-deleted.asciidoc[] +include::prebuilt-rule-8-11-7-new-github-owner-added.asciidoc[] +include::prebuilt-rule-8-11-7-github-owner-role-granted-to-user.asciidoc[] +include::prebuilt-rule-8-11-7-attempts-to-brute-force-a-microsoft-365-user-account.asciidoc[] +include::prebuilt-rule-8-11-7-potential-password-spraying-of-microsoft-365-user-accounts.asciidoc[] +include::prebuilt-rule-8-11-7-o365-excessive-single-sign-on-logon-errors.asciidoc[] +include::prebuilt-rule-8-11-7-attempts-to-brute-force-an-okta-user-account.asciidoc[] +include::prebuilt-rule-8-11-7-okta-brute-force-or-password-spraying-attack.asciidoc[] +include::prebuilt-rule-8-11-7-high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc[] +include::prebuilt-rule-8-11-7-network-activity-detected-via-kworker.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc[] +include::prebuilt-rule-8-11-7-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc[] +include::prebuilt-rule-8-11-7-file-made-immutable-by-chattr.asciidoc[] +include::prebuilt-rule-8-11-7-file-permission-modification-in-writable-directory.asciidoc[] +include::prebuilt-rule-8-11-7-creation-of-hidden-files-and-directories-via-commandline.asciidoc[] +include::prebuilt-rule-8-11-7-enumeration-of-kernel-modules.asciidoc[] +include::prebuilt-rule-8-11-7-abnormal-process-id-or-lock-file-created.asciidoc[] +include::prebuilt-rule-8-11-7-potential-curl-cve-2023-38545-exploitation.asciidoc[] +include::prebuilt-rule-8-11-7-network-connection-via-recently-compiled-executable.asciidoc[] +include::prebuilt-rule-8-11-7-binary-executed-from-shared-memory-directory.asciidoc[] +include::prebuilt-rule-8-11-7-potential-reverse-shell-via-java.asciidoc[] +include::prebuilt-rule-8-11-7-potential-reverse-shell-via-suspicious-child-process.asciidoc[] +include::prebuilt-rule-8-11-7-high-number-of-process-terminations.asciidoc[] +include::prebuilt-rule-8-11-7-chkconfig-service-add.asciidoc[] +include::prebuilt-rule-8-11-7-modification-of-openssh-binaries.asciidoc[] +include::prebuilt-rule-8-11-7-cron-job-created-or-changed-by-previously-unknown-process.asciidoc[] +include::prebuilt-rule-8-11-7-dynamic-linker-copy.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-file-creation-in-etc-for-persistence.asciidoc[] +include::prebuilt-rule-8-11-7-potential-persistence-through-init-d-detected.asciidoc[] +include::prebuilt-rule-8-11-7-kernel-module-load-via-insmod.asciidoc[] +include::prebuilt-rule-8-11-7-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-file-creation-via-kworker.asciidoc[] +include::prebuilt-rule-8-11-7-potential-persistence-through-motd-file-creation-detected.asciidoc[] +include::prebuilt-rule-8-11-7-potential-persistence-through-run-control-detected.asciidoc[] +include::prebuilt-rule-8-11-7-setcap-setuid-setgid-capability-set.asciidoc[] +include::prebuilt-rule-8-11-7-shared-object-created-or-changed-by-previously-unknown-process.asciidoc[] +include::prebuilt-rule-8-11-7-new-systemd-timer-created.asciidoc[] +include::prebuilt-rule-8-11-7-new-systemd-service-created-by-previously-unknown-process.asciidoc[] +include::prebuilt-rule-8-11-7-potential-macos-ssh-brute-force-detected.asciidoc[] +include::prebuilt-rule-8-11-7-potential-network-sweep-detected.asciidoc[] +include::prebuilt-rule-8-11-7-potential-network-scan-detected.asciidoc[] +include::prebuilt-rule-8-11-7-potential-syn-based-network-scan-detected.asciidoc[] +include::prebuilt-rule-8-11-7-credential-dumping-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-credential-dumping-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-adversary-behavior-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-malware-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-malware-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-ransomware-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-ransomware-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-exploit-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-exploit-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-credential-manipulation-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-credential-manipulation-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-permission-theft-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-permission-theft-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-process-injection-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-process-injection-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-11-7-potential-file-transfer-via-certreq.asciidoc[] +include::prebuilt-rule-8-11-7-potential-dns-tunneling-via-nslookup.asciidoc[] +include::prebuilt-rule-8-11-7-remote-file-download-via-desktopimgdownldr-utility.asciidoc[] +include::prebuilt-rule-8-11-7-remote-file-download-via-mpcmdrun.asciidoc[] +include::prebuilt-rule-8-11-7-ntds-or-sam-database-file-copied.asciidoc[] +include::prebuilt-rule-8-11-7-credential-acquisition-via-registry-hive-dumping.asciidoc[] +include::prebuilt-rule-8-11-7-microsoft-iis-service-account-password-dumped.asciidoc[] +include::prebuilt-rule-8-11-7-microsoft-iis-connection-strings-decryption.asciidoc[] +include::prebuilt-rule-8-11-7-wireless-credential-dumping-using-netsh-command.asciidoc[] +include::prebuilt-rule-8-11-7-adding-hidden-file-attribute-via-attrib.asciidoc[] +include::prebuilt-rule-8-11-7-clearing-windows-console-history.asciidoc[] +include::prebuilt-rule-8-11-7-clearing-windows-event-logs.asciidoc[] +include::prebuilt-rule-8-11-7-code-signing-policy-modification-through-built-in-tools.asciidoc[] +include::prebuilt-rule-8-11-7-windows-defender-exclusions-added-via-powershell.asciidoc[] +include::prebuilt-rule-8-11-7-delete-volume-usn-journal-with-fsutil.asciidoc[] +include::prebuilt-rule-8-11-7-disable-windows-firewall-rules-via-netsh.asciidoc[] +include::prebuilt-rule-8-11-7-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc[] +include::prebuilt-rule-8-11-7-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc[] +include::prebuilt-rule-8-11-7-control-panel-process-with-unusual-arguments.asciidoc[] +include::prebuilt-rule-8-11-7-imageload-via-windows-update-auto-update-client.asciidoc[] +include::prebuilt-rule-8-11-7-microsoft-build-engine-started-an-unusual-process.asciidoc[] +include::prebuilt-rule-8-11-7-iis-http-logging-disabled.asciidoc[] +include::prebuilt-rule-8-11-7-msbuild-making-network-connections.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-net-reflection-via-powershell.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-certutil-commands.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-wmic-xsl-script-execution.asciidoc[] +include::prebuilt-rule-8-11-7-file-creation-time-changed.asciidoc[] +include::prebuilt-rule-8-11-7-unusual-process-execution-path-alternate-data-stream.asciidoc[] +include::prebuilt-rule-8-11-7-unusual-child-process-from-a-system-virtual-process.asciidoc[] +include::prebuilt-rule-8-11-7-potential-evasion-via-filter-manager.asciidoc[] +include::prebuilt-rule-8-11-7-signed-proxy-execution-via-ms-work-folders.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-execution-via-windows-subsystem-for-linux.asciidoc[] +include::prebuilt-rule-8-11-7-execution-via-windows-subsystem-for-linux.asciidoc[] +include::prebuilt-rule-8-11-7-windows-subsystem-for-linux-enabled-via-dism-utility.asciidoc[] +include::prebuilt-rule-8-11-7-host-files-system-changes-via-windows-subsystem-for-linux.asciidoc[] +include::prebuilt-rule-8-11-7-attempt-to-install-kali-linux-via-wsl.asciidoc[] +include::prebuilt-rule-8-11-7-adfind-command-activity.asciidoc[] +include::prebuilt-rule-8-11-7-enumeration-of-administrator-accounts.asciidoc[] +include::prebuilt-rule-8-11-7-account-discovery-command-via-system-account.asciidoc[] +include::prebuilt-rule-8-11-7-enumerating-domain-trusts-via-dsquery-exe.asciidoc[] +include::prebuilt-rule-8-11-7-enumerating-domain-trusts-via-nltest-exe.asciidoc[] +include::prebuilt-rule-8-11-7-powershell-suspicious-discovery-related-windows-api-functions.asciidoc[] +include::prebuilt-rule-8-11-7-enumeration-of-privileged-local-groups-membership.asciidoc[] +include::prebuilt-rule-8-11-7-whoami-process-activity.asciidoc[] +include::prebuilt-rule-8-11-7-command-execution-via-solarwinds-process.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-solarwinds-child-process.asciidoc[] +include::prebuilt-rule-8-11-7-command-prompt-network-connection.asciidoc[] +include::prebuilt-rule-8-11-7-svchost-spawning-cmd.asciidoc[] +include::prebuilt-rule-8-11-7-enumeration-command-spawned-via-wmiprvse.asciidoc[] +include::prebuilt-rule-8-11-7-execution-from-unusual-directory-command-line.asciidoc[] +include::prebuilt-rule-8-11-7-network-connection-via-compiled-html-file.asciidoc[] +include::prebuilt-rule-8-11-7-potential-powershell-hacktool-script-by-function-names.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-cmd-execution-via-wmi.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-powershell-engine-imageload.asciidoc[] +include::prebuilt-rule-8-11-7-third-party-backup-files-deleted-via-unexpected-process.asciidoc[] +include::prebuilt-rule-8-11-7-deleting-backup-catalogs-with-wbadmin.asciidoc[] +include::prebuilt-rule-8-11-7-high-number-of-process-and-or-service-terminations.asciidoc[] +include::prebuilt-rule-8-11-7-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc[] +include::prebuilt-rule-8-11-7-volume-shadow-copy-deletion-via-powershell.asciidoc[] +include::prebuilt-rule-8-11-7-windows-script-executing-powershell.asciidoc[] +include::prebuilt-rule-8-11-7-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc[] +include::prebuilt-rule-8-11-7-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-ms-office-child-process.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-ms-outlook-child-process.asciidoc[] +include::prebuilt-rule-8-11-7-potential-pass-the-hash-pth-attempt.asciidoc[] +include::prebuilt-rule-8-11-7-direct-outbound-smb-connection.asciidoc[] +include::prebuilt-rule-8-11-7-remote-execution-via-file-shares.asciidoc[] +include::prebuilt-rule-8-11-7-remote-file-copy-to-a-hidden-share.asciidoc[] +include::prebuilt-rule-8-11-7-remotely-started-services-via-rpc.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-rdp-activex-client-loaded.asciidoc[] +include::prebuilt-rule-8-11-7-registry-persistence-via-appinit-dll.asciidoc[] +include::prebuilt-rule-8-11-7-persistence-via-scheduled-job-creation.asciidoc[] +include::prebuilt-rule-8-11-7-a-scheduled-task-was-created.asciidoc[] +include::prebuilt-rule-8-11-7-unusual-persistence-via-services-registry.asciidoc[] +include::prebuilt-rule-8-11-7-component-object-model-hijacking.asciidoc[] +include::prebuilt-rule-8-11-7-system-shells-via-services.asciidoc[] +include::prebuilt-rule-8-11-7-potential-persistence-via-time-provider-modification.asciidoc[] +include::prebuilt-rule-8-11-7-potential-application-shimming-via-sdbinst.asciidoc[] +include::prebuilt-rule-8-11-7-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc[] +include::prebuilt-rule-8-11-7-persistence-via-wmi-event-subscription.asciidoc[] +include::prebuilt-rule-8-11-7-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc[] +include::prebuilt-rule-8-11-7-web-shell-detection-script-process-child-of-common-web-processes.asciidoc[] +include::prebuilt-rule-8-11-7-expired-or-revoked-driver-loaded.asciidoc[] +include::prebuilt-rule-8-11-7-privilege-escalation-via-named-pipe-impersonation.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-printspooler-service-executable-file-creation.asciidoc[] +include::prebuilt-rule-8-11-7-suspicious-print-spooler-spl-file-created.asciidoc[] +include::prebuilt-rule-8-11-7-sedebugprivilege-enabled-by-a-suspicious-process.asciidoc[] +include::prebuilt-rule-8-11-7-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc[] +include::prebuilt-rule-8-11-7-bypass-uac-via-event-viewer.asciidoc[] +include::prebuilt-rule-8-11-7-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc[] +include::prebuilt-rule-8-11-7-unusual-parent-child-relationship.asciidoc[] +include::prebuilt-rule-8-11-7-unusual-print-spooler-child-process.asciidoc[] +include::prebuilt-rule-8-11-7-unusual-service-host-child-process-childless-service.asciidoc[] +include::prebuilt-rule-8-11-7-privileges-elevation-via-parent-process-pid-spoofing.asciidoc[] +include::prebuilt-rule-8-11-7-windows-service-installed-via-an-unusual-client.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rules-8-11-7-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rules-8-11-7-summary.asciidoc new file mode 100644 index 0000000000..e6673c6e7d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-7/prebuilt-rules-8-11-7-summary.asciidoc @@ -0,0 +1,380 @@ +[[prebuilt-rule-8-11-7-prebuilt-rules-8-11-7-summary]] +[role="xpack"] +== Update v8.11.7 + +This section lists all updates associated with version 8.11.7 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine. | new | 1 + +|<> | This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a device or file system accessible to the system, and then to connect its root directory to a specified mount point on the local file system. When launched inside a privileged container--a container deployed with all the capabilities of the host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine. Any usage of mount inside a running privileged container should be further investigated. | new | 1 + +|<> | This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take advantage of this feature, which could be used for further privilege escalation and container escapes to the host machine. | new | 1 + +|<> | This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent which could be used for further privilege escalation and container escapes to the host machine. | new | 1 + +|<> | Detects the deletion of a GitHub app either from a repo or an organization. | new | 1 + +|<> | Detects a high number of unique private repo clone events originating from a single personal access token within a short time period. | new | 1 + +|<> | This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to determine when multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user accounts or PATs. | new | 1 + +|<> | Identifies recursive process capability enumeration of the entire filesystem through the getcap command. Malicious users may manipulate identified capabilities to gain root privileges. | new | 1 + +|<> | Detects the loading of a Linux kernel module by a non-root user through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager. | new | 1 + +|<> | Identifies potential privilege escalation exploitation of DAC (Discretionary access control) file permissions. The rule identifies exploitation of DAC checks on sensitive file paths via suspicious processes whose capabilities include CAP_DAC_OVERRIDE (where a process can bypass all read write and execution checks) or CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable permission on the directories). | new | 1 + +|<> | Monitors for the execution of a file system mount followed by a chroot execution. Given enough permissions, a user within a container is capable of mounting the root file system of the host, and leveraging chroot to escape its containarized environment. This behavior pattern is very uncommon and should be investigated. | new | 1 + +|<> | Identifies an attempt to exploit a local privilege escalation CVE-2022-37706 via a flaw in Linux window manager package Enlightenment. enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring. | new | 1 + +|<> | Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to use the ptrace system call, which is typically used for debugging and allows the process to trace and control other processes. Attackers may leverage this capability to hook and inject into a process that is running with root permissions in order to escalate their privileges to root. | new | 1 + +|<> | Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which an outbound network connection is initiated by UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to use the ptrace system call, which is typically used for debugging and allows the process to trace and control other processes. Attackers may leverage this capability to hook and inject into a process that is running with root permissions in order to execute shell code and gain a reverse shell with root privileges. | new | 1 + +|<> | Detects network connections initiated by the "sudo" binary. This behavior is uncommon and may occur in instances where reverse shell shellcode is injected into a process run with elevated permissions via "sudo". Attackers may attempt to inject shellcode into processes running as root, to escalate privileges. | new | 1 + +|<> | Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short time interval could indicate application exploitation attempts. | new | 1 + +|<> | Identifies instances where a processes (granted CAP_CHOWN and/or CAP_FOWNER capabilities) is executed, after which the ownership of a suspicious file or binary is changed. In Linux, the CAP_CHOWN capability allows a process to change the owner of a file, while CAP_FOWNER permits it to bypass permission checks on operations that require file ownership (like reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files. | new | 1 + +|<> | Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SETUID and CAP_SETGID capabilities allow a process to change its UID and GID, respectively, providing control over user and group identity management. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root. | new | 1 + +|<> | Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry. | new | 1 + +|<> | Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder. | update | 105 + +|<> | Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details. | update | 108 + +|<> | Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. | update | 207 + +|<> | Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user. | update | 104 + +|<> | A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. | update | 204 + +|<> | This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event. | update | 5 + +|<> | This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. | update | 6 + +|<> | This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data. | update | 5 + +|<> | This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc. | update | 5 + +|<> | Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. | update | 209 + +|<> | Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. | update | 206 + +|<> | A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. | update | 3 + +|<> | A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. | update | 3 + +|<> | This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization. | update | 2 + +|<> | Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. | update | 3 + +|<> | This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. | update | 3 + +|<> | Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. | update | 103 + +|<> | Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts. | update | 103 + +|<> | Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token. | update | 103 + +|<> | Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts. | update | 208 + +|<> | Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. | update | 208 + +|<> | Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection. | update | 208 + +|<> | This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. | update | 2 + +|<> | This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. | update | 7 + +|<> | This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated. | update | 5 + +|<> | Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). | update | 110 + +|<> | Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution. | update | 208 + +|<